b'Assessment of the SEC Information\nTechnology Investment Process\n\n\n\n\n                                March 26, 2010\n                                Report No. 466\n\x0c                                                      UNITED STATES\n                                        SECURITIES AND EXCHANGE COMMiSSiON\n                                                WASHINGTON. D.C.      20154a\n\n     O ......\'CIl 0 ...\n\'N."ECTOR GIlNIlR ... L\n\n\n\n\n                                              MEMORANDUM\n                                                     March 26, 2010\n\n\n             To:                 Mary L. Schapiro, Chairman\n                                 Charles Boucher, Director, Office of Information Technology\n\n             From:               H. David Kotz, Inspector General, Office of Inspector General (OIG W))!<\n\n             Subject:            Assessment of the SEC Information Technology Investment\n                                  Process, Report No. 466\n\n             This memorandum transmits the U.S. securities and Exchange Commission,\n             OIG\'s final report detailing the resutts of our audit of the Commission\'s\n             information technology process. This audit was conducted in accordance with\n             our annual audit plan.\n\n             Based on written comments received to the draft report and our assessment of\n             the comments, we revised the report accordingly. This report contains nine\n             recommendations. to which the Offices of the Chairman and Information\n             Technology concurred with all. Management\'s full comments to this report are\n             included in the appendices.\n\n            Within the next 45 days, please provide GIG with a written corrective action plan\n            that is designed to address the recommendations. The corrective action plan\n            should include information such as the responsible official/point of contact, time\n            frames for completing the required actions, milestone dat~s identifying how you\n            will address the recommendations cited in this report, etc.\n                                   ,.\n            Should you have any questions regarding this report, please do not hesitate to\n            contact me. We appreciate the courtesy and cooperation that you and your staff\n            extended to our auditor.\n\n            Attachment\n\n\n            co:           Kayla J. Gillan, Deputy Chief of Staff, Office of the Chairman\n                          Diego Ruiz, Executive Director, Office of the Executive Director\n                          Lewis W,. yvalket, Deputy Director, Chief Technology Officer, Office of\n                           Information Technology\n\n\n\n\n             Assessment of the SEC Information Technology Investment Process         March 26, 2010\n             Report No. 466\n                                                        Page i\n\x0cAssessment of the SEC Information\nTechnology Investment Process\n\n                                Executive Summary\nBackground. The U.S. Securities and Exchange Commission (SEC or\nCommission) has established a Capital Planning and Investment Control (CPIC)\nprocess and structure for the approval and oversight of Information Technology\n(IT) investments. The CPIC process provides for the ongoing identification,\nselection, control, and the evaluation of information resource investments. The\nprocess links budget formulation and execution functions, and is focused on the\nagency\xe2\x80\x99s missions and achieving specific program outcomes. Specifically, the\nCPIC process addresses the decision criteria used in selecting IT investments,\nas well as the use of defined performance measures in assessing the investment\noutcomes in implementation and operation.\n\nObjectives. The objectives of the audit were to determine whether the CPIC\nprocess and procedures, and the IT investment structure made up of three\ngoverning boards: the Project Review Board (PRB), Information Officers Council\n(IOC), and Information Technology Capital Planning Committee (ITCPC), adhere\nto governing Commission policy and applicable federal laws and regulations. We\nalso examined whether adequate procedures exist to ensure that major IT\ninvestments are properly approved within the process. Lastly, we assessed\nwhether major IT investment projects were properly approved by the appropriate\nIT board.\n\nPrior OIG Audit Report. The OIG issued IT Capital Investment Decision-\nMaking Follow-up, Report No. 365, on the IT investment process on March 29,\n2004, and the report consisted of 25 recommendations. 1 The report noted that\nthe Commission had made progress in the IT investment area, but found that the\nCommission\xe2\x80\x99s process still did not meet the minimum criteria of the Government\nAccountability Office\xe2\x80\x99s (GAO\xe2\x80\x99s) Information Technology Investment Management\nMaturity Model and was not in full compliance with applicable laws and\nregulations. The report further found that the SEC\xe2\x80\x99s IT investment decision-\nmaking process remained a \xe2\x80\x9csignificant problem\xe2\x80\x9d for the Commission, and that\nthe governance of this critical Commission function needed to be strengthened.\nThe OIG recommended that the Commission assign specific responsibility and\ndelegate appropriate authority for establishing a compliant and effective IT\ndecision-making process. The report further recommended that the SEC ensure\nthat the necessary changes were completed in a timely manner by the\nimplementation of a performance accountability process. However, at the time\n\n1\n The audit was conducted as a follow-up to a previous review of the IT capital investment decision-making\nprocess. Report No. 334, \xe2\x80\x9cIT Decision Making Process,\xe2\x80\x9d August 28, 2001.\nAssessment of the SEC Information Technology Investment Process                          March 26, 2010\nReport No. 466\n                                                Page ii\n\x0cwe conducted our audit work for this audit, several recommendations in the prior\nOIG report were not completely addressed; specifically, the recommendations\nregarding the publishing of an IOC charter and establishing the Chief Information\nOfficer\xe2\x80\x99s (CIO\xe2\x80\x99s) authority. As of this date, five years later, we found that the CIO\nstill lacks the necessary authority to manage the CPIC process adequately.\n\nResults. The audit found that several program improvements are needed within\nthe CPIC process regarding the Commission\xe2\x80\x99s implementation of its CPIC\npolicies and procedures and the CIO\xe2\x80\x99s authority. Specifically, we found that two\nout of four investments we reviewed in a judgmentally-selected sample did not\nfollow the process prescribed in the CPIC policies and procedures and led to\nsignificant decisions being made regarding IT investments without a meaningful\nreview by the appropriate boards. We also found that a lack of effective project\nmanagement is contributing to the agency\xe2\x80\x99s failure to properly manage IT\nprojects.\n\nIn addition, we found that the CPIC policies need to be revised to create an\nenforceable mechanism that divisions and offices within the Commission must\nfollow. Further, based on an OIG survey of IT investments within SEC, we found\nthe need for more direct involvement from the divisions and offices in IT\ninvestments.\n\nFinally, we found that the CIO\xe2\x80\x99s authority is limited in contravention of pertinent\nstatute and the Office of Management and Budget guidance and, as a result, is\nnot able to manage and oversee the CPIC process adequately.\n\nSummary of Recommendations. This report found significant concerns with\nthe IT investment process and makes 9 specific and concrete recommendations\nto improve the process. 2\n\nThese recommendations are for the Commission to:\n\n        (1) Improve the Office of Information Technology\xe2\x80\x99s (OIT) oversight of IT\n        investments to ensure that the requirements in the CPIC policies and\n        procedures are followed.\n\n        (2) Require that status updates on all ongoing projects be provided\n        every six months to manage resources for IT investments.\n\n        (3) Immediately fill a critical vacant project management position with an\n        experienced and qualified candidate.\n\n        (4) Perform an assessment of the project management functions to ensure\n        an appropriate ratio of projects to project managers.\n2\n  The audit also re-issues and expands upon two OIG recommendations contained in its 2004 report\nregarding the CIO\xe2\x80\x99s position.\nAssessment of the SEC Information Technology Investment Process                       March 26, 2010\nReport No. 466\n                                              Page iii\n\x0c       (5) Delegate to the CIO authority necessary for the management and\n       oversight of the CPIC process, including full authority to develop and\n       execute all IT policies.\n\n       (6) Revise the Code of Federal Regulations to provide the CIO with full\n       authority to develop IT policies.\n\n       (7) Revise the SEC\xe2\x80\x99s internal regulations to create an enforcement\n       mechanism for the CPIC process.\n\n       (8) Conduct periodic internal reviews to ensure that requirements\n       applicable to IT investment management are properly enforced.\n\n       (9) Require that all SEC divisions and offices use OIT\xe2\x80\x99s project\n       management system, and update and maintain the data in the\n       system for the investments within their program areas.\n\n\n\n\nAssessment of the SEC Information Technology Investment Process       March 26, 2010\nReport No. 466\n                                        Page iv\n\x0cTable of Contents\nExecutive Summary ...................................................................................................... ii\n\nTable of Contents ......................................................................................................... v\n\nBackground and Objectives\n     Background ........................................................................................................ 1\n     Objectives .......................................................................................................... 3\n\nFindings and Recommendations\n     Finding 1: IT Investments Did Not Follow the Formalized Process\n               Prescribed in the CPIC Policy and Procedures .................................. 5\n                    Recommendation 1..................................................................... 14\n                    Recommendation 2..................................................................... 14\n\n         Finding 2: IT Projects Have Not Been Properly Managed................................ 14\n                       Recommendation 3..................................................................... 18\n                       Recommendation 4..................................................................... 18\n\n\n         Finding 3: The Chief Information Officer\xe2\x80\x99s Control is Limited Because He\n                    Lacks the Authority Required by Statute to Adequately Manage\n                    IT Resources.................................................................................... 18\n                       Recommendation 5 ..................................................................... 21\n                       Recommendation 6..................................................................... 21\n\n         Finding 4: The CPIC Policy Needs to be Revised to be Enforceable\n                    Throughout the Commission ......................................................... 21\n                      Recommendation 7..................................................................... 23\n\n         Finding 5: The OIG Survey Revealed the Need for More Involvement from\n                    the Division and Offices on IT Investments ................................... 23\n                      Recommendation 8 ..................................................................... 29\n                      Recommendation 9..................................................................... 29\n\nAppendices\n    Appendix I: Acronyms. ..................................................................................... 30\n    Appendix II: Scope and Methodology............................................................... 31\n    Appendix III: Criteria......................................................................................... 34\n    Appendix IV: List of Recommendations ........................................................... 36\n    Appendix V: Management Comments.............................................................. 38\n    Appendix VI: OIG Response to Management\xe2\x80\x99s Comments ............................. 43\n\n\n\nAssessment of the SEC Information Technology Investment Process                                   March 26, 2010\nReport No. 466\n                                                     Page v\n\x0cTables\n     Table 1: 2007/2008 Investment Approval Thresholds ........................................ 6\n     Table 2: 2009 Investment Approval Thresholds ................................................. 6\n     Table 3: SEC IT Investment Projects Selected For Verification ......................... 7\n     Table 4: Project Management Nine Knowledge Areas..................................... 15\n     Table 5: Investment Team Roles ..................................................................... 26\n\nFigure\n     Figure 1: Fundamental Phases of the IT Investment Approach ......................... 2\n\n\n\n\nAssessment of the SEC Information Technology Investment Process                      March 26, 2010\nReport No. 466\n                                              Page vi\n\x0c                 Background and Objectives\n\nBackground\nThe U.S. Securities and Exchange Commission (SEC or Commission) has\nestablished a Capital Planning and Investment Control (CPIC) process and\nstructure for the approval and oversight of Information Technology (IT)\ninvestment projects. The primary mission of the CPIC process is to establish a\nstrategic approach as to how the Commission uses its IT funds. It serves as a\nmeans of ensuring that the SEC\xe2\x80\x99s IT investments achieve specific outcomes.\nThe CPIC process provides for the identification, selection, control, and\nevaluation of investments in information resources. The process also addresses\nthe decision criterion that is used in selecting IT investments and the use of\ndefined performance measures in assessing an investment\xe2\x80\x99s progress.\n\nThe process is controlled by three governing boards:\n         1. Information Technology Capital Planning Committee (ITCPC);\n         2. Information Officers Council (IOC); and the\n         3. Project Review Board (PRB).\n\nAll projects must be reviewed initially by the PRB and must then be approved by\nthe IOC. Each board has a charter that outlines its role in the IT investment\nprocess at various levels within the investment process.\n\nCPIC Boards Roles and Responsibilities. The ITCPC meets quarterly and\nserves as the highest IT investment body within the CPIC process. Its role is to\nachieve the SEC\xe2\x80\x99s mission and goals, maximize value, manage risk, achieve\nefficiency and effectiveness, and assign responsibility and accountability. The\nITCPC provides strategic direction to the IOC and PRB on executive level\nselection, control, and evaluation of agency-wide IT investments. The ITCPC is\ncharged with ensuring that the Office of Information Technology (OIT) publishes\nCPIC policies, procedures, and selection criteria, and will periodically review\nthose materials to ensure they comply with external mandates and effectively\nsupport the SEC\'s decision-making process.\n\nThe IOC meets every month and is comprised of senior officers within the\nCommission. Its primary role is to select and evaluate IT investments that meet\nthe strategic direction of the agency and to provide sound and diverse advice to\nthe Chief Information Officer (CIO) on the Commission\xe2\x80\x99s IT portfolio. The IOC is\nresponsible for providing recommendations to the investment sponsor prior to the\npresentation of the investment proposal and periodically reviewing the results of\ncompleted investments. The IOC is also responsible for conducting periodic\nreviews of the entire IT portfolio and assigns action items to IOC members or OIT\nAssessment of SEC Information Technology Investment Process         March 26, 2010\nReport No. 466\n                                        Page 1\n\x0cstaff for resolution and reporting. The IOC takes different roles with respect to IT\ninvestments depending on the cost of the project.\n\nThe PRB meets weekly and is charged with ensuring that IT investments are\nselected, controlled, and evaluated after completion. The PRB is also required\nto: (a) Ensure the soundness and viability of proposed IT investments prior to\nselection; (b) Make sure that staff and budget resources for projects are fully\nplanned before, and managed during, project execution; (c) Inform, advise, and\nmake recommendations to the CIO and OIT senior management; and (d) Provide\nguidance and assistance to project managers to ensure the full scope of each\nproject is completed on time and within budget.\n\nFederal IT Investment Management Model. A central tenet of the federal\napproach to IT investment management has been the select/control/evaluate\nmodel, as illustrated in Figure 1, Fundamental Phases of the IT Investment\nApproach. The Government Accountability Office (GAO) initially identified this\nmodel, which provides a systematic method for agencies to minimize risks while\nmaximizing the returns of investments. 3\n\nFigure 1: Fundamental Phases of the IT Investment Approach\n\n\n\n\n         Select Phase                   Control Phase\n         \xe2\x80\xa2 Screen                       \xe2\x80\xa2 Monitor\n         \xe2\x80\xa2 Rank                           progress\n         \xe2\x80\xa2 Choose                       \xe2\x80\xa2 Take\n                                          corrective\n                                          actions\n\n\n\n\n                        Evaluate\n                        Phase\n                        \xe2\x80\xa2 Make\n                          adjustments\n                        \xe2\x80\xa2 Apply\n                          lessons\n                           learned\nSource: GAO\n\n\n\n\n3\n  GAO-04-394G, GAO Executive Guide, \xe2\x80\x9cInformation Technology Investment Management: A Framework\nfor Assessing and Improving Process Maturity, Version 1.1, March 2004 at pgs. 7-8.\nAssessment of the SEC Information Technology Investment Process                 March 26, 2010\nReport No. 466\n                                            Page 2\n\x0cDuring the select phase, as noted in Figure 1, the organization (1) identifies and\nanalyzes a project\xe2\x80\x99s risks and returns before committing significant funds to a\nproject; and (2) selects those IT projects that will best support the organization\xe2\x80\x99s\nmission needs. This process should be repeated each time funds are allocated to\nprojects, even when reselecting ongoing investments. 4\n\nDuring the control phase, the organization ensures that, as a project develops\nand investment expenditures continue, the project continues to meet the\norganization\xe2\x80\x99s mission needs at the expected levels of cost and risk. If the\nproject is not meeting expectations or if problems have arisen, steps should be\ntaken quickly to address the deficiencies. If mission needs have changed in the\ncontrol phrase, the organization is able to adjust its objectives for the project and\nappropriately modify expected project outcomes. 5\n\nDuring the evaluate phase, actual and expected results are compared after a\nproject has been fully implemented. The purpose of this comparison is to\n(1) assess the project\xe2\x80\x99s impact on mission performance, (2) identify any\nnecessary changes or modifications to the project, and (3) revise the investment\nmanagement process based on lessons learned. 6\n\nContracting Officer\xe2\x80\x99s Authority. Contracting Officers have the authority to\nenter into, administer, and terminate contracts. They may bind the Government\nonly to the extent of the authority delegated to them. Contracting Officers receive\nclear instructions in writing from the appointing authority, regarding of the limits of\ntheir authority. Contracting Officers must ensure that no contract is entered into\nunless all requirements of law, executive orders, regulations, and all other\napplicable procedures including clearances and approvals, have been met.\n\nObjectives\nThe objectives of the audit were to examine whether SEC divisions and offices\nhave established procedures to ensure that major IT investments are properly\napproved by the CPIC boards, specifically, the PRB, IOC and/or the ITCPC. The\naudit objectives also were to:\n\n     \xe2\x80\xa2    Determine whether the CPIC process and procedures and the PRB, IOC,\n          ITCPC structures adhere to governing Commission policy and applicable\n          federal laws and regulations;\n\n     \xe2\x80\xa2    Examine whether procedures exist to ensure that major IT investments\n          are properly approved within the CPIC process and are presented to the\n          PRB, IOC and/or ITCPC as appropriate; and\n4\n  Id. at p. 8.\n5\n  Id.\n6\n  Id.\nAssessment of the SEC Information Technology Investment Process          March 26, 2010\nReport No. 466\n                                        Page 3\n\x0c   \xe2\x80\xa2   Assess whether major IT investment projects are properly approved by the\n       appropriate CPIC board(s).\n\n\n\n\nAssessment of the SEC Information Technology Investment Process   March 26, 2010\nReport No. 466\n                                        Page 4\n\x0c               Findings and Recommendations\n\nWe determined that the SEC has a documented structure, approval process and\nadequate procedures that adhere to governing Commission policy and applicable\nfederal laws and regulations. We also found that comprehensive procedures are\ndocumented for major IT investments, but that the procedures are not\nconsistently followed throughout the Commission. In this audit, we assessed\nwhether major IT investments were properly approved by the appropriate CPIC\nboard and identified some deficiencies and areas of non-compliance.\nSpecifically, we found that although the Commission has established a\ncomprehensive CPIC process and structure for the approval and oversight of IT\ninvestments, there are still some areas that should be enhanced. The SEC has\ngone to great lengths, and expended significant resources to develop an IT CPIC\nstructure, approval process and procedures that adhere to federal laws and\nregulations. However, the Commission is not adequately implementing all\nphases of the CPIC process and procedures that are contained in its regulations\nand implementing instructions. More specifically, we found that:\n\n         1) IT investments did not always follow the formalized CPIC process;\n         2) IT projects were not adequately managed;\n         3) The CIO\xe2\x80\x99s control is limited because he lacks the necessary authority\n            required by statute;\n         4) The CPIC policy needs to be enforced throughout the SEC; and\n         5) A need exists for more direct involvement in IT investments by the\n            Divisions and Offices.\n\n\nFinding 1: IT Investments Did Not Follow the\nFormalized Process Prescribed in the CPIC Policy\nand Procedures\n         Two of four investments selected for OIG review did not\n         follow the formalized process prescribed in the Capital\n         Planning and Investment Control policies and procedures.\n\nThe SEC\xe2\x80\x99s CPIC Process. All projects regardless of budget must initially be\nreviewed by the PRB for soundness and viability within the Commission\xe2\x80\x99s\narchitecture. 7 As the scope of this audit covered calendar year 2007 to June\n2009, OIG reviewed two different threshold requirements, because the\n\n7\n  This information was obtained from an internal OIT restricted SharePoint site that has Capital Planning and\nInvestment Control data, such as an overview of the process, meeting information, board links,\nportfolio/project data and threshold information by fiscal year.\nAssessment of the SEC Information Technology Investment Process                            March 26, 2010\nReport No. 466\n                                                 Page 5\n\x0crequirements changed for 2009. IT investments approved in 2007 and 2008\nwere subject to the approval thresholds shown in Table 1 as follows:\n\n            Table 1: 2007/2008 Investment Approval Thresholds\n             Investment Amount Who Reviews?\n\n             Less than $200,000              With approval from the CIO, the PRB may\n                                             review and approve the investments.\n             Above $200,000                  The IOC must approve.\n            Source: OIT\n\nTable 1 illustrates in 2007 and 2008, investments costing $200,000 or less were\napproved by the PRB if they met the technical requirements of the Commission\xe2\x80\x99s\narchitecture, as determined by the CIO. The PRB consists of managers within\nOIT and a representative from the Office of Acquisitions. Investments of\n$200,000 or more were required to be presented to the IOC for approval. 8\n\nInvestments approved or presented in 2009 were subject to the approval\nthresholds shown below in Table 2:\n\n           Table 2: 2009 Investment Approval Thresholds\n            Investment     Who Reviews?\n            Amount\n             Less than               With approval from the CIO, the PRB will review and\n             $100,000                oversee these investments.\n             $100,000 to             With approval from the CIO, the PRB will review\n             $250,000                these investments and determine if they need to be\n                                     forwarded to the IOC or can be approved at the PRB\n                                     level.\n             Above                   The IOC must approve any projects that are greater\n             $250,000                than $250,000.\n           Source: OIT\n\nIn 2009, if an investment was less than $100,000, the PRB would oversee the\ninvestment after it had been approved by the CIO. The same process applied for\ninvestments ranging from $100,000 to $250,000, unless the PRB chose to\nforward them to the IOC for approval due to visibility, impact on the agency or\nother reasons. Finally, all investments greater then $250,000 had to be\napproved by the IOC. 9\n\nWhen an investment is forwarded to the IOC, the IOC reviews the investment\npresentation from the requesting division or office and considers any advice\ngiven from the PRB. The IOC then determines whether the investment is in-line\nwith the SEC\xe2\x80\x99s strategic direction and the funds are available to execute the\n\n8\n    Id. at 2008 review thresholds.\n9\n    Id. at 2009 review thresholds.\nAssessment of the SEC Information Technology Investment Process                    March 26, 2010\nReport No. 466\n                                                  Page 6\n\x0cproject. If these criteria are met, the investment is formally approved. For all\nprojects presented to a CPIC board, an approval or disapproval document is\nprepared detailing the reason for the board\xe2\x80\x99s decision. 10 If the project is\napproved, the approval document, the project purpose, approval amount and\nagreed upon timeframes for completion, are put into OIT\xe2\x80\x99s project management\nsystem for monitoring. 11\n\nIT Project Verification. During our audit, we assessed whether major IT\ninvestment projects were properly approved by the appropriate CPIC board. We\ndeveloped a web-based IT investment project questionnaire, which we sent to 34\ndivisions and offices within the Commission. 12 We utilized an online tool to\ndevelop the survey, which consisted of multiple choice and short answer\nquestions. We also asked SEC divisions and offices to populate an\naccompanying spreadsheet if they had any major IT investment(s) costing\n$200,000 or more during January 2007 to June 2009. We received populated\nspreadsheets from 7 of 34 SEC divisions and offices. Based on the seven\npopulated spreadsheets we received, OIG judgmentally selected four IT\ninvestment projects for verification. 13\n\nTable 3, shown below, identifies the four IT investment projects OIG selected for\nverification: (1) Momentum Upgrade; (2) Regional Office Backup; (3) Automated\nProcurement System; and the (4) Risk and Surveillance Data Analysis and\nReporting.\n\nTable 3: SEC IT Investment Projects Selected For Verification\n SEC       Name of Investment      CY    Total Projected Followed CPIC\n Division/ Project                       Contract Cost      Process\n Office\n 1. OFM          Momentum Upgrade                 2007         $3.4M                     Yes\n 2. OIT          Regional Office Backup           2008         $200K                     No\n 3. OAS          Automated                        2008         $3.5M                     No\n                 Procurement System\n 4. OCIE         Risk and Surveillance            2009         $300K                     Yes\n                 Data Analysis and\n                 Reporting\nSource: SEC/OIT Clarity system and verification documentation.\n\nFor the IT investment projects selected for verification, the OIG conducted\ninterviews with the investment sponsors and/or project managers of those\n\n10\n   Implementing Instruction (II) 24-02.01.02 T01, Record of Decisions for IT Investments form. This\ndocument is used to officially record IT investment decisions and to provide the necessary authorization to\nproceed with the CPIC process.\n11\n   See Clarity system in the portfolio/project management information module.\n12\n   These included both divisions and offices at headquarters and the regional offices.\n13\n   In our survey, we defined major investments as projects costing $200,000 or more, or projects that were\nhighly visible within the Commission. The Executive offices, such as the Offices of the Chairman and the\nCommissioners were not included in the survey results because they do not sponsor large IT investments.\nAssessment of the SEC Information Technology Investment Process                            March 26, 2010\nReport No. 466\n                                                 Page 7\n\x0cprojects. We also reviewed support documentation for the projects, proposal\nrequests, board meeting minutes and presentation slides. Our verification\nprocess found that two of the four investment projects did not follow the\nformalized process prescribed in the CPIC policies and procedures. A detailed\nreview of the IT investment projects OIG selected for verification follows.\n\nOIG Verification of IT Investment Projects\nMomentum Upgrade. The IOC approved the Momentum Upgrade project for\n$2.1 million in March 2007. The Office of Financial Management (OFM)\nrequested an emergency waiver from the CIO in August 2007 for additional\nfunding of $595,560 to fund the upgraded contract fully. In September 2007,\nOFM asked OIT for an additional $500,000 for hardware and software and to\ncombine an IT project entitled, \xe2\x80\x9cMomentum Upgrade Licenses and Servers,\xe2\x80\x9d\nwhich already had an investment of $87,500, with the overall Momentum\nupgrade project. This addition increased the total funding for the project to $3.2\nmillion. At the end of Fiscal Year 2007, the project received $200,000 in\nadditional \xe2\x80\x9cswept funds,\xe2\x80\x9d 14 increasing the total funding for the project to $3.4\nmillion. Our audit of this project revealed that the formalized process and\nprocedures of the CPIC process were followed. We found two occasions in\nwhich the project manager discovered an issue with the investment. In the first\ninstance, the project manager made a proper change request with the IOC for\nthe additional funds and, in the second instance, he requested an emergency\nwaiver from the CIO.\n\nRisk and Surveillance Data Analysis and Reporting. The Risk and\nSurveillance Data Analysis and Reporting project is a 2009 IT investment that the\nIOC approved in April 2009 for $300,000. The Office of Compliance Inspections\nand Examinations (OCIE) requested this investment to develop reporting\ncapabilities for risk management. To date, there have been no change requests\nfor this investment, and our audit revealed that the project complied with the\nCPIC formalized process and procedures. Therefore, we determined this project\nappears to be running smoothly and on target for an April 2010 completion date.\n\nRegional Office Backup Project. The PRB approved the Regional Office\nBackup project in June 2008 as a pilot to improve backup capabilities at the\nregional offices, and it was funded for $200,000. At the time the project was\napproved, the regional offices were having trouble storing data from past and\nongoing cases, and the project was intended to increase the storage capacity at\nthe offices. In September 2008, the sponsor appropriately submitted a change\nrequest to the PRB because the delivery schedule for the equipment was\n\n14\n   \xe2\x80\x9cSwept funds\xe2\x80\x9d refer to a situation where a project previously approved did not require all the funds that\nhad been approved for the project and, accordingly, the funds are \xe2\x80\x9cswept\xe2\x80\x9d back into the budget and used for\nother projects. The Momentum Upgrade project received additional funds that were swept from another\nproject.\nAssessment of the SEC Information Technology Investment Process                            March 26, 2010\nReport No. 466\n                                                 Page 8\n\x0cdelayed and would impact the milestones established for the project. However,\nduring performance testing in March 2009, the sponsor discovered that the\nproject had major problems with overheating and performance. The server room\nin a regional office was oversubscribed by approximately 19,000 BTU/hour 15 and\nthe additional equipment needed for the backup project would have made the\nroom worse. Also, the equipment purchased to improve the regional office\nbackup capability did not have the adequate performance levels needed by the\nregional office and, in fact, would lower the regional offices\xe2\x80\x99 case system\nperformance instead of improving it. The IT security group rated the project as a\nhigh risk due to the problems identified during the security testing. Where\nsignificant problems are found, the sponsor of a project is required to go back to\nthe PRB immediately and submit a change request. 16 In this case, the testing\nhighlighted problems with both (a) performance and delivery expectations; and\n(b) documented technical and operational risks and expectations, either of which\nwould constitute a significant baseline change. 17\n\nHowever, our audit found that contrary to the prescribed process, the sponsor did\nnot submit a change request in March 2009. Instead, the sponsor decided in\nApril 2009 to reuse the equipment to support the Alternate Data Center (ADC)\nproject and cancelled the Regional Office Backup project. Only in August 2009\ndid the sponsor finally return to the PRB, one year and two months after the initial\napproval of the project and five months after the problems had been discovered\nduring the performance testing, to submit a change request and to inform the\nboard that the pilot did not work, the project was being cancelled and the\nequipment purchased for the project was being used to support another ongoing\nIT project.\n\nAt the time a project is approved, IT investment baselines are established. The\nestablished \xe2\x80\x9cbaselines document an agreement between the investment sponsor\nand the CPIC decision authority to deliver, within a defined time frame, a specific\nproduct or service at a specific cost.\xe2\x80\x9d 18 From our perspective the purpose of the\nrequirement that sponsors inform the CPIC decision authorities of significant\nbaseline changes in a project is to ensure that the changes to the documented\nagreement are known and adequate for all parties involved. 19 In this case, the\nPRB was not afforded an opportunity to state whether it approved the equipment\nbeing used to support the ADC project because the sponsor decided to cancel\nthe project and re-purpose the equipment without notifying the PRB. This\nresulted in the PRB incorrectly believing that the Regional Office Backup project\nwas on target and would address the regional offices\xe2\x80\x99 storage problems.\nConsequently, the SEC has expended $200,000 for equipment that did not work\n\n15\n   British thermal unit (BTU) is an imperial unit of measurement for heat.\n16\n   II 24-02.01.02, \xe2\x80\x9cInformation Technology Investment Control\xe2\x80\x9d at p. 7.\n17\n   Id. at p. 7 requires CPIC Decision Authority Approval for Baseline Changes.\n18\n   II 24-02.01.02 at p. 6.\n19\n   The roles and responsibilities of the CPIC Decision Authorities (ITCPC, IOC, CIO) are described on p. 14\nof II 24-02.01.02.\nAssessment of the SEC Information Technology Investment Process                           March 26, 2010\nReport No. 466\n                                                 Page 9\n\x0cfor its intended purpose, and the regional offices still have a storage problem that\nneeds to be addressed.\n\nAutomated Procurement System. The Automated Procurement System (APS)\nproject was not formally approved by any CPIC board. The project evolved from\na multiple year project, the Strategic Acquisition Manager (SAM) project\nsponsored by the Office of Administrative Services (OAS), which was approved\nby the IOC in April 2005 to automate the SEC\xe2\x80\x99s acquisition process and to close\nout an outstanding audit finding. 20 Although the SAM project was eventually\ncancelled, our review of the project management system\xe2\x80\x99s (Clarity) status reports\nfor the SAM system did not reveal any problems identified by the sponsor that\nwere not resolved by the contractor. While the status comments revealed\ndefects identified during testing, they show that the contractor resolved all the\ndefects. For example, the January 2007 status comments provided that the\nsystem failed User Acceptance Testing (UAT) and 88 critical system defects\nwere recorded by the test team during the UAT. The February 2007 comments\nreflect that the contractor had remedied 100 percent of the 88 critical defects\nfound during the UAT.\n\nIn addition, documents establish that in April 2007, the SAM system owners had\ncompleted re-testing of the repaired application, and the sponsor conditionally\naccepted the system. The February 2007 comments further indicate that all\ncritical defect fixes had been applied to the system. We also learned from\nreviewing status comments and discussions with the project manager that in April\n2007, the critical and non-critical items were addressed and the sponsor fully\naccepted the system. As a result, SAM was placed into production with limited\nuse on May 16, 2007. 21\n\nWe also found that in January 2008, the OAS director requested from the IOC\n$350,000 in additional funding for customer support for SAM, which the IOC\napproved.\n\nOAS staff provided OIG with documentation highlighting the system\xe2\x80\x99s poor\nperformance, as well as many concerns they encountered with the developer\nonce the system was fielded. OIG was informed that SAM was in use for over a\nyear; however, production was limited due to problems that were encountered.\nSpecifically, OAS staff provided the OIG with:\n\n     \xe2\x80\xa2   Emails addressed to the developer communicating significant problems\n         with the system that were not or could not be resolved;\n     \xe2\x80\xa2   Screen shots of problems with the SAM modules; and\n\n20\n   Administration of Information Technology Contracts, Report No. 350, dated December 16, 2002,\nRecommendation P.\n21\n   Discussions with the Office of the Executive Director (OED), OAS and OIT revealed that the system was\nin production with limited use because it was never deployed to the entire contracting office.\nAssessment of the SEC Information Technology Investment Process                          March 26, 2010\nReport No. 466\n                                               Page 10\n\x0c     \xe2\x80\xa2   Dates of meetings held with the developer in an attempt to resolve the\n         identified problems.\n\nFurther, OAS officials informed us that after several attempts to address the\nproblems with SAM, the system still had major problems that could not be\nresolved. According to OAS, at a meeting in April 2008, the developer indicated\nthat a possible solution would be to upgrade the system at significant additional\ncost to the Commission and hope that all of the problems would be addressed. 22\nHowever, OAS indicated that the developer could not guarantee that all the\nidentified problems would be resolved with the upgrade. Therefore, OAS\nmanagement determined the only solution was to cancel the project.\nAlthough OAS officials showed us email documentation of concerns about the\nperformance of the SAM system, these concerns were not documented in the\nproject management system\xe2\x80\x99s (Clarity) status reports.\n\nOn June 23, 2008, OAS gave a \xe2\x80\x9clesson learned\xe2\x80\x9d presentation to the IOC and\ninformed it of the SAM system\xe2\x80\x99s cancellation, due to performance issues and a\nplan to solicit companies to implement a new procurement system, the APS.\nThis presentation occurred three years and one month after the initial approval of\nthe SAM project and one year and five months after the problems were\ndiscovered during the UAT. Moreover, this was merely a \xe2\x80\x9clessons learned\xe2\x80\x9d\npresentation. A formal request was never made for any IOC approval.\n\nBecause the APS project flowed out of the SAM project cancellation, OAS\ncommenced the APS project without formal approval from any CPIC board. OAS\nmanagement informed us that they did not believe IOC approval of the APS\nproject was required because, from their perspective it was not a new project but\na recompete, the SAM project had serious problems that would have cost\nmillions to correct, and OIT had already received approved funding from the SEC\nExecutive Director for the APS project. 23 However, our audit found that the APS\nproject was a separate and distinct project that according to CPIC policy required\nIOC approval. On September 22, 2008, OAS awarded a contract to\nCompuSearch for $3.5 million to implement the APS project.\n\nOur audit found that similar to what occurred with the Regional Office Backup\nproject, major decisions to cancel the SAM project and start the APS project\nwere made without IOC approval. In our view, OAS should have gone back to\nthe IOC when it discovered SAM\xe2\x80\x99s performance problems and provided the IOC\nwith the following options: 24\n\n\n22\n   Per the charts provided by OAS, this meeting was held in April 2008.\n23\n   Memorandum from the Executive Director (ED) to CIO dated June 25, 2008 stating during the mid-year\nbudget review that $3.5M was provided to OIT for the new acquisition system to replace SAM.\n24\n   II 24-02.01.02 at pgs. 6-7, provides that after an investment enters the execution phase, its baseline may\nnot be materially changed unless the appropriate CPIC decision authority (ITCPC, IOC, CIO) approves such\na change.\nAssessment of the SEC Information Technology Investment Process                            March 26, 2010\nReport No. 466\n                                                 Page 11\n\x0c       \xe2\x80\xa2    Correct the performance problems with the SAM system, which the testing\n            showed had been corrected, and establish performance measures for the\n            contract, explaining the costs that would be incurred in connection with\n            this approach; or\n\n       \xe2\x80\xa2    Cancel the SAM project and begin a new project, detailing the costs of this\n            approach.\n\nIf the IOC had been provided these options, it would have been aware of the\nissues and had the opportunity to make a sound decision as to the direction it\ndeemed appropriate based on the facts presented by OAS. Instead, the IOC\nwas deprived of this information and opportunity, as OAS informed the IOC of the\nsituation only after canceling the SAM project and making the decision to begin\nthe new APS project.\n\nAccordingly, our audit found two of the four projects (Regional Office Backup and\nAPS) selected for verification did not comply with applicable processes and\nprocedures, and the IT boards were not afforded opportunities to conduct\nmeaningful reviews of them. These two projects had a combined total of almost\n$4 million and are examples of projects that should have gone back to the boards\nfor approval before any action to cancel the projects, or to begin new projects,\nwere taken because both projects underwent significant baseline changes.\n\nAccording to Section C of CPIC Implementing Instructions, an investment team is\nrequired to return to the boards for approval of material baseline changes. 25 The\nImplementing Instructions contains the following information for Baseline\nChanges Requiring either PRB/Project Management Office (PMO) or CPIC\nDecision Authority Approval:\n\n            \xe2\x80\xa2    A baseline schedule change may be approved by the PMO or\n                 PRB --\n                       o A baseline schedule change is needed because of\n                           delay in contract award (or in the delivery terms of the\n                           contract) and the time delay does not increase the\n                           investment\xe2\x80\x99s cost. In such cases, the PMO may\n                           approve the schedule baseline change.\n                        o The PRB directs a change of an investment\xe2\x80\x99s\n                          baseline schedule on the basis that there are no\n                          additional costs or technical impacts associated with\n                          the schedule change, and the investment\xe2\x80\x99s sponsor\n                          approves of the change.\n                        o The PRB directs a baseline schedule change to re-\n                          allocate needed resources to another investment\n25\n     Id. at pgs. 6-7.\nAssessment of the SEC Information Technology Investment Process             March 26, 2010\nReport No. 466\n                                            Page 12\n\x0c                           based on overall portfolio priorities or other\n                           operational considerations. The decision and\n                           rationale shall be recorded in the PRB minutes.\n                        o An investment team shall request a change in the\n                          approved baseline when it is no longer advisable or\n                          feasible to meet an established baseline commitment\n                          because conditions exist that adversely affect:\n                              o Costs, including those associated with a\n                                related investment(s);\n                              o Scope of the approved investment;\n                              o Delivery schedules, other than those due to\n                                contract award, or delays due to delivery terms\n                                of the contract;\n                              o Performance and delivery expectations;\n                              o Documented technical and operational risks\n                                and expectations; and/or\n                              o Other critical factors essential to the\n                                investment. 26\nIn the Regional Office Backup project, the testing highlighted problems with both\nperformance and delivery expectations and documented technical and\noperational risks and expectations, either of which would constitute a significant\nbaseline change.\n\nIn the APS project, OAS cancelled the SAM project and started an entirely new\nAPS without formal approval from the IOC. According to the CPIC Implementing\nInstruction, only the CPIC decision authorities (ITCPC, IOC and CIO), have the\nauthority to determine whether to continue, change or terminate an investment\nwhen it fails to achieve its approved baselines. 27 OAS\xe2\x80\x99 decision to cancel the\nSAM project without proper approval resulted in an additional $3.5 million (SAM\nhad already cost $3 million) being spent to automate the acquisition process.\nAlso, in accordance with the Implementing Instruction, OAS should have gone to\nthe IOC when the UAT for the SAM system identified major problems because\nthe testing highlighted problems with both (a) costs, and (b) performance and\ndelivery expectations.\n\nIn summary, our audit found that despite the significant baseline changes, the\nsponsors for both projects did not go to the PRB or IOC for approval before the\nchanges were made, as the CPIC policy requires. Instead, the sponsors went to\nthe board after the fact to inform them that the approved projects had been\ncancelled, and they were either:\n26\n     Id. at p. 7.\n27\n     Id. at pgs. 6-8.\nAssessment of the SEC Information Technology Investment Process              March 26, 2010\nReport No. 466\n                                           Page 13\n\x0c       \xe2\x80\xa2   Utilizing the equipment for another project, or\n       \xe2\x80\xa2   Starting an entirely new project.\n\nBoth actions are a direct violation of the CPIC policy and made it impossible for\nthe boards to conduct a meaningful review of the projects. Moreover, the fact\nthat 50 percent of the projects we judgmentally selected failed to follow\napplicable procedures raises serious questions as to whether the CPIC policy is\nbeing properly implemented and IT investments overall are being appropriately\nand sufficiently evaluated and approved by the pertinent CPIC board.\n\n       Recommendation 1:\n\n       The Office of Information Technology should improve its oversight of\n       information technology investments to ensure that projects are in\n       compliance with the requirements in its Capital Planning and Investment\n       Control policies and procedures specifically dealing with the\n       implementation of the control and evaluate phases of the Capital Planning\n       and Investment Control process.\n\n       Management Comments. Concur. See Appendix V for management\xe2\x80\x99s\n       full comments.\n\n       OIG Analysis. We are pleased that OIT has concurred with this\n       recommendation.\n\n       Recommendation 2:\n\n       The Office of Information Technology should require status updates\n       be provided for all ongoing projects every six months to manage\n       resources (staff, cost and time) for information technology\n       investments over $200,000 and above.\n\n       Management Comments. Concur. See Appendix V for management\xe2\x80\x99s\n       full comments.\n\n       OIG Analysis. We are pleased that OIT has concurred with this\n       recommendation.\n\n\nFinding 2: IT Projects Have Not Always Been\nProperly Managed\n       IT investments are not being properly managed because the\n       project managers are overloaded with assignments, resulting\n\nAssessment of the SEC Information Technology Investment Process      March 26, 2010\nReport No. 466\n                                        Page 14\n\x0c          in projects not following the SEC\xe2\x80\x99s formalized policies and\n          procedures.\n\nAs discussed above, two of the four IT investments projects OIG selected for\nverification found they were not appropriately managed and failed to follow CPIC\npolicies and procedures. We also learned through interviews with business\nsponsors and project managers from OIT, OAS, OFM and OCIE, as well as data\nobtained from the Clarity system, 28 that IT projects often have been plagued with\nproblems due to:\n\n     \xe2\x80\xa2    The lack of a dedicated technical project manager;\n     \xe2\x80\xa2    Unexpected cost overruns;\n     \xe2\x80\xa2    Delays with software/hardware;\n     \xe2\x80\xa2    System performance; and\n     \xe2\x80\xa2    Inadequate development of requirements.\n\nProject Management Resources. The effectiveness of the CPIC process\ndepends to a great extent on project management. Project management is the\napplication of knowledge, skills, tools and techniques to a broad range of\nactivities to meet the requirements of the particular project. It is a crucial element\nin implementing any system or service, especially one involving a significant IT\ninvestment. 29 Successful project management involves effective management of\nnine knowledge areas, as illustrated in Table 4 below.\n\n     Table 4: Project Management Nine Knowledge Areas\n         Scope Management\xe2\x80\x94defining and managing all work required to\n         successfully complete the project.\n         Time Management\xe2\x80\x94ability to complete the project in a structured\n         timeframe.\n         Cost Management\xe2\x80\x94preparing and managing a budget for the project and\n         managing costs throughout the project\xe2\x80\x99s life.\n         Quality Management\xe2\x80\x94ensuring the project will satisfy stated or implied\n         needs of the organization and its stakeholders.\n         Human Resources Management\xe2\x80\x94making effective use of people to\n         complete the project. This area involves delegating the most qualified and\n         skilled person(s) to a specific task of the project to ensure the project is\n         implemented effectively.\n         Communications Management\xe2\x80\x94generating, collecting, disseminating and\n         storing project information for all stakeholders.\n         Risk Management\xe2\x80\x94identifying, analyzing, and responding to risks.\n         Procurement Management\xe2\x80\x94acquiring or procuring goods and services that\n         are needed from outside the organization.\n\n28\n   Clarity is a comprehensive project management system. It is a web-based Project/Portfolio Management\ninformation system and is used to support the Capital Planning Investment Control (CPIC) and project\nmanagement processes. Its purpose is to provide a central location to view all investment projects.\n29\n   Farm Credit Administration audit report 04-02, Project Management, dated September 9, 2004 at p. 1.\nAssessment of the SEC Information Technology Investment Process                        March 26, 2010\nReport No. 466\n                                              Page 15\n\x0c      Project Integration Management\xe2\x80\x94overarching function that affects and is\n      affected by all other knowledge areas. The collaborative effort of all the\n      knowledge areas in executing the project.\n                                                    30\n     Source: Project Management Book of Knowledge\n\n\nEffective project management is essential to ensuring that IT projects are\nadequately managed and historical problems with these projects are remedied.\nWith the numerous IT-related initiatives currently being implemented to meet the\nchallenges facing the SEC and its increased dependence on IT solutions,\neffective project management is more critical than ever. However, our audit\nfound that as the need for development, oversight and continuous monitoring of\nIT investments has increased, the resources available to accomplish this work\nhave decreased. We learned from interviews with OIT management that they\nwere required to give up four slots during 2009, despite the fact that the office\nwas already understaffed. Moreover, we were informed that the Commission\nhad approximately 220 IT projects from 2007 to June 2009, and OIT only had a\nstaff of 12 technically certified project managers 31 to oversee IT projects.\n\nAdditionally, through interviews with business sponsors and project managers\nwithin OAS, OCIE, OFM, the Office of Human Resources (OHR) and staff within\nOIT, we found that project managers were assigned several in-depth projects\n(220 projects to 12 project managers), but due to resource constraints, they\ncould not possibly dedicate the necessary time to manage the projects properly\nand provide adequate oversight of them. As a result, IT investments were not\nbeing managed during the control and evaluate phases of the IT investment\nprocess.\n\nFurther, our audit found that OIT\xe2\x80\x99s project management staff has been so\noverloaded with assignments that, in many cases, they were unable to devote\nsufficient time to a single project. In fact, the problems we identified with the two\nprojects discussed above may be directly attributed to inadequate project\nmanagement. The Regional Office Backup project was the result of poorly-\ndefined requirements resulting in the purchase of equipment with performance\nproblems that could not meet the needs of the agency. Although this was a\nrelatively small investment, sound management practices would have identified\nthe capacity needed prior to purchasing the equipment and potentially prevented\nthe expenditure of funds on inadequate equipment. More importantly, adequate\nproject management resources could have resulted in successfully addressing\nthe project\xe2\x80\x99s need, i.e., the improvement of backup capabilities within the regional\noffices, which still remains unaddressed.\n\n\n30\n   The Project Management Book of Knowledge guide is the considered to be the broadest and most widely\nused standard reference of industry best practices for project management. A Guide to Project\n                                     rd\nManagement Body of Knowledge, 3 edition PMI Standards Committee at appendix F at pgs. 338-341.\n31\n   Certified project managers are individuals who have received a PM Certification, per SEC Operating\nDirective (OD) 24-02.04.T01, \xe2\x80\x9cIT Project Manager Qualification Checklist,\xe2\x80\x9d May 30, 2006 at pgs. 2-4.\nAssessment of the SEC Information Technology Investment Process                       March 26, 2010\nReport No. 466\n                                              Page 16\n\x0cRegarding the APS project, the system performance issues with SAM may have\nbeen resolved if the project manager had the proper amount of time to devote to\nthe project, which could have prevented the loss of $3 million and avoided the\ncost of a new investment. According to OAS, the failures of the SAM system\nwere not only performance problems with the contractor and system, but also\nrelated to the lack of technical resources available to manage IT projects.\n\nBased on the projects OIG verified, we found that OIT\xe2\x80\x99s inability to provide\nadequate technical resources for the IT projects forced the program offices to\ncontract out the project management function, resulting in increased project\ncosts. 32 In fact, OAS requested additional funds for APS project management,\nand it has stated in presentations to the boards that costs for APS may continue\nto increase due to the lack of resources within OIT.\n\nFurther, we found that the Project Management Office (PMO) Assistant Director\nposition within OIT has been vacant for over 18 months. This management\nposition is responsible for ensuring that the control and evaluate functions of the\nCPIC process are adequately addressed within OIT. According to OIT, the\nAssistant Director for the PMO also:\n\n       \xe2\x80\xa2   Staffs the PMO branch (hires technical project managers);\n       \xe2\x80\xa2   Ensures that approved projects are adequately staffed with the accurate\n           mix of technical and program staff in order to successfully complete the\n           project;\n       \xe2\x80\xa2   Assigns the technical Project Managers(PM) within OIT to the projects;\n       \xe2\x80\xa2   Establishes, oversees and manages the PM staff\xe2\x80\x99s training program to\n           ensure we have the adequate expertise to manage IT projects; and\n       \xe2\x80\xa2   Communicates the CPIC process throughout the SEC.\n\nWith this crucial management position being vacant for such a long period\nof time, the SEC has no one charged to ensure that the control and\nevaluation functions of the CPIC process are accurately addressed and\nmanaged. Our audit also revealed that the SEC hired a consultant, to\nperform an assessment of the CPIC process in 2007. In a Executive\nBriefing to the IOC, the consultant highlighted the same problem the OIG\nidentified with the Commission\xe2\x80\x99s project management resources, stating\nthat the IOC needed to assess the capacity of available project managers\nto oversee the portfolio of projects. 33 We found that as of the date our\nreport was finalized, this issue has still not been resolved.\n\n\n\n32\n  Both the APS and Risk and Surveillance Data Analysis and Reporting projects have contracted out the\nproject management function.\n33\n     The Consultant\xe2\x80\x99s Executive Briefing responses dated November 19, 2007.\nAssessment of the SEC Information Technology Investment Process                        March 26, 2010\nReport No. 466\n                                                Page 17\n\x0c       Recommendation 3:\n\n       The Office of Information Technology should immediately fill the position\n       of Assistant Director for the Project Management Office with an\n       experienced and qualified candidate.\n\n       Management Comments. Concur. See Appendix V for management\xe2\x80\x99s\n       full comments.\n\n       OIG Analysis. We are pleased that OIT has concurred with this\n       recommendation.\n\n       Recommendation 4:\n\n       The Office of Information Technology should perform an assessment of\n       the project management function to compare the current ratio of projects\n       per project manager to the industry\xe2\x80\x99s acceptable ratio of projects per\n       project manager.\n\n       Management Comments. Concur. See Appendix V for management\xe2\x80\x99s\n       full comments.\n\n       OIG Analysis. We are pleased that OIT has concurred with this\n       recommendation.\n\nFinding 3: The Chief Information Officer\xe2\x80\x99s\nControl and Effectiveness Are Limited\nBecause He Lacks the Authority Required by\nStatute to Manage IT Resources Adequately\n       The CIO lacks the necessary authority to manage and\n       oversee the CPIC process adequately.\n\nChief Information Officer Authority within the SEC\n\nSeveral concerns about the IT process that were identified in our audit may also\nbe related to the CIO\xe2\x80\x99s authority within the Commission. We found that the CIO\xe2\x80\x99s\ncontrol and overall effectiveness are limited because the CIO does not have the\nauthority to enforce the Commission\xe2\x80\x99s CPIC process.\n\nThe CIO currently holds a dual responsibility at the SEC, serving as the CIO and\nthe Director of OIT. Accordingly, while in his role as the OIT Director, the SEC\norganizational chart indicates the individual reports directly to the Chairman. Our\n\nAssessment of the SEC Information Technology Investment Process       March 26, 2010\nReport No. 466\n                                        Page 18\n\x0creview of 17 CFR \xc2\xa7 200.13 reveals that the Executive Director (ED) provides\nadministrative authority over the OIT Director. Specifically, the CFR states that\nthe ED provides \xe2\x80\x9cexecutive direction\xe2\x80\x9d in addition to \xe2\x80\x9cadministrative control\xe2\x80\x9d and\nhas ultimate responsibility to approve substantive and operational IT policy. We\ndetermined that the CIO/OIT Director reports to the ED and thus, does not have\nthe authority to influence substantive IT decisions that his direct supervisor (the\nED) makes.\n\nThe problem highlighted in Finding 1 with the APS project not following the\nprescribed CPIC process is related to limitations on the CIO\xe2\x80\x99s authority. OAS\nmanagement informed us that they did not know that they were required to obtain\nthe CPIC Board\xe2\x80\x99s approval for the APS project because they viewed it as a\nrecompete and not a new project, and OIT had already received the funding from\nthe ED to go forward with the new project.\n\nOAS is a \xe2\x80\x9cdirect\xe2\x80\x9d report to the ED and the ED allocated funding and gave OAS\nthe approval to go forward with the new contract. Thus, the CIO was unable to\nplay any role in ensuring that the CPIC process was followed.\n\nMoreover, we found the CIO/OIT Director\xe2\x80\x99s dual-reporting structure as\nimplemented within the SEC violates the statutory requirements of 44 U.S.C. \xc2\xa7\xc2\xa7\n3506(a) (2) (A) and (3) 34 which specifically provides that the CIO shall report\ndirectly to the head of the agency. We also determined the reporting structure\nlimits his authority to manage IT resources for all Commission divisions and\noffices adequately. The current reporting arrangement further violates the Office\nof Management and Budget (OMB) guidance that provides that each Executive\n\xe2\x80\x9cDepartment or Agency has a designated executive-level CIO reporting to the\nhead of the organization, with formal and full responsibility for all requirements\nset forth in [applicable statutes, regulations and guidance].\xe2\x80\x9d 35 The OMB\nguidance further provides that the agency CIO is to have \xe2\x80\x9cultimate responsibility\nfor the governance, management and delivery of IT mission and business\nprograms\xe2\x80\x9d and \xe2\x80\x9chas an effective means of meeting this responsibility.\xe2\x80\x9d 36\n\nThe SEC has advised us that the Office of General Counsel has opined that the\nCIO\xe2\x80\x99s dual reporting relationship is not violative per se of the applicable statute,\nsince that statute requires that the CIO must report to the agency head with\n\n34\n   Under, 44 U.S.C. \xc2\xa7 3506(a)(2)(A), ". . . the head of each agency shall designate a Chief Information\nOfficer who shall report directly to such agency head to carry out the responsibilities of the agency under this\nsubchapter [44 USCS 3501 et seq.]." 44 U.S.C. \xc2\xa7 3506 (a)(3) provides that "[t]he Chief Information Officer\ndesignated under paragraph (2) shall head an office responsible for ensuring agency compliance with and\nprompt, efficient, and effective implementation of the information policies and information resources\nmanagement responsibilities established under this subchapter [44 USCS 3501 et seq.] . . . ."\n35\n   Memorandum for the Heads of Executive Departments and Agencies, M-09-02, Information Technology\nManagement Structure and Governance Framework, dated October 21, 2008, Attachment, Section I.A.\n36\n   Id. at Section I.B. It should be noted such \xe2\x80\x9cultimate responsibility\xe2\x80\x9d on the part of the CIO remains subject\nto the overall direction of the head of the agency who according to statute, is ultimately responsible for all\ninformation technology operations and policies. See 44 U.S.C. \xc2\xa7. 3544(a).\nAssessment of the SEC Information Technology Investment Process                               March 26, 2010\nReport No. 466\n                                                  Page 19\n\x0crespect to the specified substantive responsibilities, and therefore a CIO could\nlawfully report to another senior executive with respect to purely administrative\nmatters. While OIG takes no position on whether this legal interpretation is\naccurate, we found that at the SEC, the ED does in fact exercise substantive\nauthority over the CIO by virtue of the current reporting relationship which\nviolates the letter and intent of the statute as well as OMB guidance.\n\nFurthermore, interviews revealed there is a perception within multiple\nCommission divisions and offices that OAS, OFM and OHR are able to evade the\nCPIC process without facing any consequences because the heads of these\noffices report directly to the ED. The CIO is supposed to be the custodian of the\nCommission\xe2\x80\x99s IT resources; however, his ability to perform this task effectively is\nlimited by virtue of his reporting relationship with the ED.\n\nOIG Prior IT Capital Investment Process Audit. The OIG issued IT Capital\nInvestment Decision-Making Follow-Up, Report No. 365, in March 2004. The\nreport made two recommendations to address the issue of the CIO\xe2\x80\x99s authority as\nfollows:\n\n       \xe2\x80\xa2   Recommendation 1 - The Chairman should delegate to the CIO the\n           necessary authority to issue and enforce Commission-wide IT policy and\n           regulations; and\n\n       \xe2\x80\xa2   Recommendation 2 - The preparation of an Action Memorandum to the\n           Commission to modify 17 CFR \xc2\xa7 200.13 to formally delegate authority to\n           issue IT policies and regulations to the CIO. 37\n\nIn our review of assessing whether the recommendations were closed, we found\nthat some work had been done in an effort to close out these old\nrecommendations; however, the recommendations were not fully addressed. For\nrecommendation 1, we found that the delegation authority states that the CIO is\nresponsible for advising and assisting the Office of the Chairman and the Division\nDirectors, Office Heads and Regional managers on IT and security related\nmatters. 38 In our view this does not give the CIO/OIT Director the full authority\nneeded to develop and approve IT policy throughout the Commission.\nFurthermore, we discovered that the CIO/OIT Director currently develops IT\npolicy, but the ED approves and issues the policy.\n\nFor recommendation 2, a action memorandum was started, but it was never\ncompleted and according to the current version of 17 CFR \xc2\xa7 200.13, the ED still\nmaintains responsibility for developing and executing management policies of the\n\n\n\n37\n     IT Capital Investment Decision-Making Follow-Up, Report No. 365, issued March 29, 2004 at p. 9.\n38\n     CIO and ED delegation authorities signed by the Chairman on August 11, 2009.\nAssessment of the SEC Information Technology Investment Process                            March 26, 2010\nReport No. 466\n                                                  Page 20\n\x0cCommission for all its operating divisions and staff offices, including OIT. 39 This\nregulation further illustrates the lack of authority that the CIO has when it comes\nto controlling IT resources, which are substantive aspects of his responsibilities.\n\n         Recommendation 5:\n\n         The Chairman should formally delegate authority to the Chief Information\n         Officer necessary for the management and oversight of the Capital\n         Planning and Investment Control process, to include the full authority to\n         develop and execute all information technology policy, as approved by the\n         Chairman.\n\n         Management Comments. Concur. See Appendix V for management\xe2\x80\x99s\n         full comments.\n\n         OIG Analysis. We are pleased that the Chairman\xe2\x80\x99s office has concurred\n         with this recommendation.\n\n         Recommendation 6:\n\n         The Chairman should revise 17 CFR \xc2\xa7 200.13 to provide the Chief\n         Information Officer (CIO) with full authority to develop and issue\n         Information Technology policies and carry out the prescribed substantive\n         responsibilities under 44 U.S.C. \xc2\xa7 3506 and OMB Guidance M-09-02 and\n         remove the CIO/Director of the Office of Information Technology from\n         under the supervision of the Executive Director or any position other than\n         the Chairman for those substantive responsibilities.\n\n         Management Comments. Concur. See Appendix V for management\xe2\x80\x99s\n         full comments.\n\n         OIG Analysis. We are pleased that the Chairman\xe2\x80\x99s office has concurred\n         with this recommendation.\n\n\n\n\n39\n  The language of 17 C.F.R. 200.13 clearly provides for the Executive Director to have more than simple\nadministrative authority over the CIO in his role as head of OIT, as it specifies that the Executive Director\nprovides \xe2\x80\x9cexecutive direction\xe2\x80\x9d in addition to \xe2\x80\x9cadministrative control\xe2\x80\x9d and has ultimate responsibility approving\nsubstantive and operational IT policies. We reviewed 17 C.F.R. \xc2\xa7 200.13 on LexisNexis, where it had been\nupdated through the January 14, 2010 issue of the Federal Register.\nAssessment of the SEC Information Technology Investment Process                               March 26, 2010\nReport No. 466\n                                                  Page 21\n\x0cFinding 4: The CPIC Internal Regulation Needs to\nbe Revised to be Enforceable Throughout the\nCommission\n           The formal CPIC policy document Securities & Exchange\n           Commission Regulation (SECR) 24-02, does not have an\n           enforcement mechanism to ensure that all Commission\n           Divisions/Offices adhere to the policy.\n\nThe primary policy document governing the CPIC process applies to all SEC\ndivisions and offices and to all IT investments regardless of size. Section 5(j) of\nSECR 24-02, states that \xe2\x80\x9c[t]he CIO shall hold all SEC personnel accountable for\nthe IT investments and resources entrusted to them.\xe2\x80\x9d 40 The provision further\nstates that \xe2\x80\x9c[t]he CIO shall work with the Associate Executive Director for Human\nResources to determine how to institutionalize such accountability.\xe2\x80\x9d 41 While we\ncommend OIT for having these statements in their policy, we could not determine\nhow the requirements are being implemented.\n\nWe discussed this issue with the CIO, who stated that he did not believe that OIT\nand OHR have met to determine how to institutionalize the accountability\nrequirement of the policy. Also, during interviews conducted with business\nsponsors from OAS, the Division of Enforcement, OCIE and OFM, we found they\nwere not aware of any specific responsibility for the divisions and offices to follow\nthe CPIC processes or policies.\n\nSpecifying in SECR 24-02 that it is the responsibility of Regional Directors,\nDivision Directors and Office Heads to ensure that all IT investments within their\ncontrol adhere to the formal CPIC policies would clarify this matter. Further, it is\nimportant that OIT and OHR take the necessary steps to determine how to\nenforce implementation of the policy adequately. Specifically, they need to\ndevelop and provide the CIO and/or IOC, with an enforcement mechanism\napplicable to investments that have been funded outside of the formalized CPIC\nprocess. Doing so would strengthen the regulation, make it an enforceable\ndocument and thus give the CIO further authority over the CPIC program.\n\n\n\n\n40\n     SECR 24-02, \xe2\x80\x9cInformation Technology Capital Planning and Investment Control,\xe2\x80\x9d June 14, 2006 at p. 4.\n41\n     Id. at pgs. 4-5.\nAssessment of the SEC Information Technology Investment Process                           March 26, 2010\nReport No. 466\n                                                 Page 22\n\x0c        Recommendation 7:\n\n        The Office of Information Technology should revise the SECR 24-02 to:\n\n             \xe2\x80\xa2   Add a responsibility that the Division Directors, Office Heads, and\n                 Regional Directors ensure that all information technology\n                 investments within their responsibility adhere to the Capital\n                 Planning and Investment Control policies and procedures.\n\n             \xe2\x80\xa2   Create an enforcement mechanism for the Chief Information Officer\n                 and Information Officers Council to utilize when they discover\n                 investments that have been funded outside of the Capital Planning\n                 and Investment Control process.\n\n        Management Comments. Concur. See Appendix V for management\xe2\x80\x99s\n        full comments.\n\n        OIG Analysis. We are pleased that OIT has concurred with this\n        recommendation.\n\nFinding 5: The OIG Survey Revealed the Need for\nMore Involvement with IT Investments by the\nDivisions and Offices on IT Investments\n        Program offices could not populate OIG\xe2\x80\x99s generated\n        worksheet with data for their projects because they were not\n        directly involved in the day-to-day management of the\n        projects.\n\nThe OIG developed and issued an IT Investment Project Questionnaire to 34\ndivisions and offices within the Commission. 42 Thirty of the 34 offices completed\nthe survey, resulting in an 88.2 percent response rate. The survey focused on\ndetermining the number of major IT investments projects that are managed within\nthe SEC and was intended to aid the OIG in identifying the universe of SEC\xe2\x80\x99s IT\ninvestment projects. What follows are some of the relevant questions asked in\nthe survey and the responses OIG received.\n\n\n\n\n42\n  These 34 offices exclude the Chairman\xe2\x80\x99s Office, Commissioner\xe2\x80\x99s Offices, and offices with duplicative\nresponses.\nAssessment of the SEC Information Technology Investment Process                           March 26, 2010\nReport No. 466\n                                                Page 23\n\x0c       (Q4). Did your division/office acquire any IT Investment\n       Projects during calendar year (CY) 2007 to 2009 (January to\n       June) costing $200,000 or more?\n\n                                                   Total\n                             Yes        No       Responses\n                              12        18          30\n                             40%       60%         100%\n\n\n\n       (Q5). Did your office exercise any "option years" during CY\n       2007 to 2009 (January - June), for IT Investment Projects\n       costing $200,000 or more?\n\n                                                   Total\n                             Yes        No       Responses\n                              5          5          10\n                             50%       50%         100%\n\n\n\n       (Q6.) During CY 2007, 2008, and 2009 (January - June), for any\n       given year did your office acquire two or more related IT\n       Investment Projects costing $200,000 or more from the same\n       vendor?\n\n                                                   Total\n                             Yes       No        Responses\n                              5         8           13\n                            38.5%     61.5%        100%\n\n\n\n       (Q7). Did your division/office have any IT Investment Projects\n       costing $200,000 or more that were disapproved, cancelled, or\n       suspended during CY 2007 to 2009 (January - June)?\n\n                                                   Total\n                             Yes       No        Responses\n                              2         9           11\n                            18.2%     81.8%        100%\n\nResults of OIG\xe2\x80\x99s Review of the Selected Survey Questions. For affirmative\n(yes) responses received to questions 4, 5, and 7, the divisions/offices were\nasked to populate a worksheet. Although survey responses for question 4 (Q4)\nindicated that 12 divisions/offices had IT investment projects costing $200,000 or\nmore, only 7 of 12 divisions/offices completed and provided OIG with the\nrequired worksheets. Because all SEC divisions/offices did not complete the\nsurvey and we did not receive worksheets from all of the divisions/offices that\nAssessment of the SEC Information Technology Investment Process      March 26, 2010\nReport No. 466\n                                        Page 24\n\x0chad IT investments of $200,000 or more, we could not determine the full universe\nof major IT projects from calendar year (CY) 2007 to June 2009. We used OIT\xe2\x80\x99s\nproject management system, Clarity, to identify the number of IT investment\nprojects that were managed from 2007 to 2009 and found there were\napproximately 220. The survey results revealed the need for more direct\ninvolvement from program offices and further supported the need for better\noversight from OIT during the control and evaluate phases of the CPIC process.\n\nOur analysis of the survey revealed that 4 of 7, or 57 percent of divisions/offices\nthat provided OIG with a worksheet, could not populate the fields using their own\ninternal data. The divisions/offices had to request data from OIT or ask OIT to\nprovide data directly to the OIG. The fact that 57 percent of divisions/offices that\nprovided worksheets could not provide comprehensive data for projects within\ntheir program areas is a significant concern. Clearly these divisions/offices were\nnot sufficiently involved in their IT projects since they could not provide\ninformation on a particular project. While personnel in these program\ndivisions/offices are not expected to be IT specialists or technical project\nmanagers, they should have some direct involvement in the IT investment that\nwas approved and funded to meet a need or improve a process within their\nprogram area.\n\nAs the survey results illustrate, between CYs 2007 and June 2009, the\nCommission had 12 divisions/offices that either had current IT investments\ncosting $200,000 or more; 5 divisions/offices exercised an option year, and 2\ndivisions/offices had an IT investment project that was disapproved, cancelled, or\nsuspended. Yet, over half of the respondents that provided worksheets (4 of 7)\ncould not provide detailed information on the projects for which they requested\napproval from the CPIC boards.\n\nSEC Operating Directive and the Roles of the Investment Team. SEC\nOperating Directive 24-02.01 01.0 establishes and defines the roles and\nresponsibilities for approved IT projects. According to the Operating Directive,\nwhen a project is approved, an investment team is assigned. The investment\nteam is made-up of individuals who are responsible for managing and overseeing\nthe project during the control and evaluate phases of the process. 43 An\ninvestment team can include 10 members, mostly OIT staff; however, two people\nmust be from the program office. 44 Table 5, shown below, identifies and defines\nthe roles within investment teams.\n\n\n\n\n43\n     OD 24-02.01,\xe2\x80\x9d Information Technology Investment Management.\xe2\x80\x9d dated August 14, 2006 at pgs. 6-11.\n44\n     Id.\nAssessment of the SEC Information Technology Investment Process                         March 26, 2010\nReport No. 466\n                                                Page 25\n\x0c      Table 5: Investment Team Roles\n       Roles            Definition\n                        Champion of project approval and successful outcome.\n                        Primary owner of the system and stakeholder of the project.\n       Project\n                        Provides constant vigilance to ensure that project continues to\n       Sponsor*         meet the business need. Defines project goals. Sponsor\n                        MUST provide adequate authority and support to enable PM\n                        to be successful.\n\n                        Technical Expertise - Owner of technical action items and\n       Technical        outcomes including solution\'s technical design, development,\n       Lead (TL)*       coordination of technical resources, execution of QA\n                        processes, and acceptance of technical deliverables.\n\n                        Functional business expertise - Owner of business action\n                        items and outcomes including solution\'s business\n       Business         requirements, coordination of business resources to support\n       Lead (BL)*       the project, and design, execution and acceptance of\n                        functional business deliverables. Drives user acceptance\n                        testing (UAT), user training and system deployment phases.\n\n\n                        Responsible for Successful delivery of project as approved.\n       Project          Manage project and team to successful project conclusion.\n       Manager          Responsible for project planning, communication,\n                        coordination, dependencies, issue resolution and risk\n       (PM)*            mitigation. Sponsor MUST provide adequate authority and\n                        support to enable PM to be successful.\n\n\n                        Administrative support tasks with no authority or responsibility\n       Project          for project delivery. Supports and assists the PM; tasks are\n       Expediter        essential and must be performed by the PM if no expediter is\n                        assigned.\n\n                        Explains OIT processes and helps to facilitate introductions\n       OIT POC          and meetings between Project team members and key OIT\n       (Not TL)         personnel. This person has no specific project related\n                        responsibility.\n\n                        CPIC and PM administration including entering project in\n       PMO              Clarity; advice on CPIC activities, Clarity actions, monthly\n       Support*         status reporting; and seeking management support. Not\n                        responsible for approval or outcome of this project.\n\n\n\n\nAssessment of the SEC Information Technology Investment Process                   March 26, 2010\nReport No. 466\n                                          Page 26\n\x0c        Roles              Definition\n                           Technical Contract Administration of the project - Manage\n                           vendor, in accordance with COTR appointment, to comply with\n        COTR*              all contract terms and requirements. Review and approve\n                           vendor status reports, deliverables/milestones, invoices, and\n                           incentive payments (if applicable). Close interaction with PM\n                           to provide and receive shared information.\n        Maintenance\n        Manager            Owner of system maintenance. Responsible for system\n        (MM)*              support once in production.\n\n                           Alternative approaches to delineating responsibilities need to\n        Other*             be clearly defined and agreed upon by all parties involved.\n                           Please use the attached "Roles by Tasks" worksheet to\n                           denote any variations.\n       Source: OP 24-02.01.01.01.A01, IT Investment Plan Instructions\n       *Required for each project. All others are ad-hoc roles invoked when necessary.\n\nAs illustrated in Table 5, OIT\xe2\x80\x99s documented procedures clearly define the roles\nneeded for adequate project management. However, our audit found that these\nprocedures are not being followed for all IT investments. The current Operating\nDirective requires that two positions (project sponsor and business lead) within\nthe investment team be filled by program office staff. However, this requirement\nis not being followed for all IT projects. 45 For example, we could not find within\nthe Clarity system an investment team assigned for the IT projects we reviewed.\nIn addition, while we did find that in the four projects we reviewed, the sponsoring\noffice had identified a business sponsor and a project manager, we did not find a\nbusiness lead assigned for any of these projects. Furthermore, we discovered\nthat the business sponsors are often at the Associate or Assistant Director level\nand do not have sufficient time to devote to the day-to-day management of an IT\nproject. If the requirements of the current Operating Directive were followed such\nthat two representatives of the investment team were actually from the program\narea, the sponsoring office would have more ownership in the project, which we\ndetermined would reduce the time and cost to complete an IT project.\n\nThe Project Management Book of Knowledge, a well-known guide for project\nmanagement best practices, discusses the importance of project\nstakeholder/customer involvement throughout the life of a project. The guide\nalso discusses the creation of two distinct roles; the enforcer and the supporter.\nThe top-level \xe2\x80\x9cenforcers\xe2\x80\x9d are sponsors of the identified approach, along with\n\xe2\x80\x9csupport\xe2\x80\x9d staff for consistent delivery according to the identified standards and\nprocedures. 46 These roles illustrate the need to ensure that at least one\nindividual on the program side serves as the business lead (or supporter) on an\n45\n  OP 24-02.01.01.01.A01, IT Investment Plan Instructions at pgs. 3-4.\n46\n  Project Management Best Practices: An Introduction to PMBOK, February 13, 2008 by Haydn Thomas\nJulie Tilke found at www.cioupdate.com.\nAssessment of the SEC Information Technology Investment Process                          March 26, 2010\nReport No. 466\n                                              Page 27\n\x0cIT project. The business lead will ensure that the business needs of the project\nare addressed and interact on a constant basis with the technical IT project\nmanager, further supporting the need for more direct involvement from the office\non an approved IT project. Additionally, we note that the consultant previously\nretained by the agency also identified the need for more program involvement as\na problem in the 2007 briefing. 47\n\nSurvey Results Pertaining to Policy. The OIG questionnaire also asked\nrespondents if they were aware of the CPIC policies and procedures, as shown\nin question 8 (Q8).\n\n           (Q8). Are you or other personnel in your division/office aware\n           of the Commission\xe2\x80\x99s policy and other external policy, laws,\n           regulations such as OMB Circular A-130, Management of\n           Federal Information Resources, etc., that governs major\n           information systems?\n\n                                                            Total\n                                   Yes         No         Responses\n                                    19          8            27\n                                  70.4%       29.6%         100%\n\nApproximately 70 percent of respondents indicated they were aware of the\npolicies and procedures that govern the CPIC process, but our audit has shown\nthat they are not following all aspects of these governing policies and\nprocedures. We found that OIT has a documented set of policies and\nprocedures for the CPIC process and use the web-based Project and Portfolio\nManagement information system known as Clarity, to support the CPIC and\nproject management processes. The goal of the Clarity system is to provide a\ncentral location to view all Investment Projects with an automated governance\nreview capability. All divisions/office should have an individual with access to the\nClarity system, especially if that office has an ongoing IT project. We were\ninformed by OIT that each project sponsor is encouraged to provide updates\nwithin Clarity on the progress of the projects; however, this is not required.\nFurther, we found that OIT has offered training courses on the Clarity system\nseven times during 2008 and 2009, and staff members from only 14 of 34 SEC\ndivisions/offices have attended the training courses. Full utilization of the Clarity\nsystem by the program divisions/offices would enhance the management of IT\ninvestments within the Commission and thus improve OIT\xe2\x80\x99s ability to address the\ncontrol and evaluate phases of the CPIC process.\n\n\n\n\n47\n     The Consultant\xe2\x80\x99s SEC Executive Briefing Responses dated November 19, 2007.\nAssessment of the SEC Information Technology Investment Process                   March 26, 2010\nReport No. 466\n                                               Page 28\n\x0c       Recommendation 8:\n\n       The Office of Information Technology should conduct periodic internal\n       reviews to ensure that the requirements in Operating Directive 24-02.01,\n       Information Technology Investment Management, are enforced, (e.g., the\n       requirement that two representatives from the program area be identified\n       for all ongoing projects).\n\n       Management Comments. Concur. See Appendix V for management\xe2\x80\x99s\n       full comments.\n\n       OIG Analysis. We are pleased that OIT has concurred with this\n       recommendation.\n\n       Recommendation 9:\n\n       The Office of Information Technology should require that all divisions and\n       offices use OIT\xe2\x80\x99s project management system and that they update and\n       maintain the data in the system for the investments within their program\n       areas.\n\n       Management Comments. Concur. See Appendix V for management\xe2\x80\x99s\n       full comments.\n\n       OIG Analysis. We are pleased that OIT has concurred with this\n       recommendation.\n\n\n\n\nAssessment of the SEC Information Technology Investment Process      March 26, 2010\nReport No. 466\n                                        Page 29\n\x0c                                                                     Appendix I\n\n\n                  Acronyms and Abbreviations\n\nAPS                          Automated Procurement System\nCIO                          Chief Information Officer\nCPIC                         Capital Planning and Investment Control\nCY                           Calendar Year\nED                           Executive Director\nGAO                          Government Accountability Office\nIT                           Information Technology\nITCPC                        Information Technology Capital Planning Committee\nIOC                          Information Officers Council\nOAS                          Office of Administrative Services\nOCIE                         Office of Compliance Inspections and Examinations\nOHR                          Office of Human Resources\nOFM                          Office of Financial Management\nOIG                          Office of Inspector General\nOIT                          Office of Information Technology\nPRB                          Project Review Board\nPM                           Project Manager\nPMO                          Project Management Office\nSAM                          Strategic Acquisition Manager\nSECR                         Securities & Exchange Commission Regulation\nSEC or Commission            U.S. Securities and Exchange Commission\nUAT                          User Acceptance Testing\n\n\n\n\nAssessment of the SEC Information Technology Investment Process    March 26, 2010\nReport No. 466\n                                        Page 30\n\x0c                                                                     Appendix II\n\n\n                       Scope and Methodology\n\nWe conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on our audit objectives.\nWe determined that the evidence obtained provides a reasonable basis for our\nfindings and conclusions based on our audit objectives.\n\nScope. We conducted this audit from June 2009 to November 2009. The scope\nof the audit included IT investments that were approved, disapproved, cancelled,\nsuspended, or for which an option year was exercised between CYs January\n2007 and June 2009 that cost $200,000 or more. We examined the SEC\xe2\x80\x99s IT\ninvestment process structure to determine whether it adhered to applicable laws\nand regulations. We assessed a selected number of IT investment projects to\ndetermine if they adhered to the established capital planning and investment\ncontrol policies, procedures and process that were in place at the SEC.\n\nMethodology. To address the objective of determining whether the CPIC\nprocess and procedures and the PRB, IOC, ITCPC structures adhere to\ngoverning Commission policy and applicable federal laws and regulations, we\nobserved meetings of the three governing boards (PRB, IOC, CPC). We also\ndetermined if the structure and procedures used followed the procedures outlined\nin the SEC policies for the CPIC process. Furthermore, we reviewed the SEC\xe2\x80\x99s\npolicies, procedures and processes for IT investments to determine if they\nadhered to governing federal laws.\n\nTo address the second objective of examining whether procedures exist to\nensure that major IT investments are properly approved within the CPIC process\nand are presented to the PRB, IOC and/or ITCPC as appropriate, we utilized the\ninformation from the first objective and interviewed selected project sponsors,\nproject managers, board members, the CIO, ED, and relevant OIT staff. We\nobtained access to OIT\xe2\x80\x99s project management system, Clarity, and the restricted\nCPIC SharePoint site to review pertinent documentation for selected IT projects\nsuch as, approval documentation, project proposals, status notes, and board\nmeeting minutes.\n\nFinally, to address the objective to assess whether major IT investment projects\nare properly approved by the appropriate CPIC board(s), we performed\nverification testing of the data housed in the project management system, the\n\nAssessment of the SEC Information Technology Investment Process     March 26, 2010\nReport No. 466\n                                        Page 31\n\x0crestricted CPIC SharePoint site and information revealed during interviews with\nselected SEC staff.\n\nWe also developed an 11-question survey consisting of 8 multiple choice and 3\nshort answer questions. The questionnaire was designed to obtain feedback\nfrom SEC divisions and offices on the Commission\xe2\x80\x99s CPIC process. The survey\nwas issued in August 2009 to 34 SEC division/office\xe2\x80\x99s technical point of contact\n(POC) in the Commission\xe2\x80\x99s Headquarters and its 11 regional offices, excluding\nthe Chairman\xe2\x80\x99s and Commissioners\xe2\x80\x99 offices. Of the 34 technical POCs that\nreceived the questionnaire, 30 respondents or 88.2 percent, completed the\nsurvey. We also conducted interviews with some of the survey respondents and\nverified support documentation that was provided for the IT investment projects.\n\nManagement Controls. We reviewed the management controls that were\nconsidered significant within the context of the CPIC process and our audit\nobjectives. We interviewed personnel from the:\n\n     \xe2\x80\xa2   Office of the Executive Director,\n     \xe2\x80\xa2   Office of Administrative Services,\n     \xe2\x80\xa2   Office of Financial Management,\n     \xe2\x80\xa2   Office of Compliance Inspections and Examinations,\n     \xe2\x80\xa2   Office of Human Resources,\n     \xe2\x80\xa2   Division of Enforcement, and;\n     \xe2\x80\xa2   Office of Information Technology.\n\nWe also identified and reviewed applicable policies and procedures, obtained\nand reviewed available CPIC documentation, and verified support data of\nselected IT investments for compliance with the CPIC process.\n\nUse of Computer-Processed Data. We used computer-processed data, such\nas reports generated by the Clarity system, information contained on the\nrestricted CPIC SharePoint site, emails, and Excel spreadsheets. We did not\nperform extensive testing of system or application controls because it was not an\naudit objective. However, we did test the reliability of the data by testing an IT\nproject from each year (2007-2009) and conducting a reasonableness test of the\ninformation by comparing the computerized data with source documents. We\nconcluded that the data in the systems were reliable and accurate enough to\nstate that overall system controls were reasonable.\n\nJudgmental Sampling. We judgmentally selected four of seven offices/divisions\nfrom the IT Investment Projects Questionnaire that had projects costing $200,000\nor more during calendar year 2007 to June 2009. We then determined whether\nthese offices/divisions followed the CPIC policies and procedures for its IT\nInvestment Projects.\n\nAssessment of the SEC Information Technology Investment Process      March 26, 2010\nReport No. 466\n                                        Page 32\n\x0cPrior OIG Coverage. The OIG previously issued IT Capital Investment\nDecision-Making Follow-Up, Report No. 365, on March 29, 2004. The report\nnoted that the Commission was making progress in the IT investment area, but\nfound that its process still did not meet the minimum criteria of GAO\xe2\x80\x99s Information\nTechnology Investment Management Maturity Model and was not in full\ncompliance with applicable laws and regulations. The report consisted of 25\nrecommendations. According to the ARTS tracking system, 24 of 25\nrecommendations were completed, and the final recommendation was closed in\nJanuary 2010. We reviewed the documentation and analyzed the support used\nto close the report\xe2\x80\x99s recommendations and concluded that two recommendations\nwere not completely implemented, even though they had been formally closed.\nTherefore, this report\xe2\x80\x99s recommendations expand on two prior OIG\nrecommendations made in Report No. 365, pertaining to the CIO\xe2\x80\x99s authority over\nthe CPIC process.\n\n\n\n\nAssessment of the SEC Information Technology Investment Process      March 26, 2010\nReport No. 466\n                                        Page 33\n\x0c                                                                        Appendix III\n\n\n                                      Criteria\n\nThe Clinger-Cohen Act of 1996 (National Defense Authorization Act\nFor FY 1996; Public Law 104\xe2\x80\x93106, Division E, February 10, 1996), 40 U.S.C.\n\xc2\xa7 1401 et seq.: Reformed the way in which federal agencies acquire and\nmanage IT resources by establishing effective IT leadership within each agency.\nRequires each agency to establish clear accountability for IT management\nactivities by appointing a CIO with the management responsibilities necessary to\ncarry out the Act\xe2\x80\x99s specific provisions.\n\nU.S. Code 44 \xc2\xa7 3506(a): Establishes federal agency responsibilities for federal\ninformation policy. Requires the head of each agency to designate a CIO who\nwill report directly to the head of the agency to carry out the responsibilities for\nfederal information policy.\n\n17 C.F.R. \xc2\xa7 200.133, Executive Director: Describes the resonsibilities and\nfunctions of the Executive Director of the SEC.\n\nOMB Memorandum M-09-02, Information Technology Management\nStructure and Governance Framework, October 21, 2008: Reaffirms and\nclarifies the organizational, functional and operational governance framework\nrequired within the Executive Branch for managing and optimizing the effective\nuse of IT investments.\n\nSEC Regulation (SECR) 24-02, Information Technology Capital Planning\nand Investment Control, June 14, 2006: Defines the SEC\xe2\x80\x99s IT CPIC policy and\nprocesses, and the responsibilities for complying with key provisions of the\nClinger-Cohen Act of 1996 and other relevant authorities.\n\nSEC Operating Directive (OD) 24-02.01, Information Technology Investment\nManagement, August 14, 2006: Defines the processes used in the\nmanagement of the SEC\xe2\x80\x99s IT investments, as mandated by the Clinger-Cohen\nAct and further specified in SECR 24-02.\n\nSEC Implementing Instruction (II) 24-02.01.02, Information Technology\nInvestment Control, January 9, 2008: Defines the roles, responsibilities and\nhigh-level workflows applicable to the control phase of the SEC\xe2\x80\x99s CPIC process.\n\nSEC Operating Procedure (OP) 24-02.02.02.02.A01, Investment Plan\nInstructions, January 24, 2008: This guide show the various sections of the\nstandard investment plan ad provides for contributions by the entire investment\nAssessment of the SEC Information Technology Investment Process         March 26, 2010\nReport No. 466\n                                        Page 34\n\x0cteam to the completion and maintenance of the plan, as coordinated by the\ndesignated project manager.\n\nProject Management Institute, A Guide to the Project Management Body of\nKnowledge, 3rd edition, 2004: This guide identifies and describes the subset of\nterms that are generally accepted within the project management profession.\n\n\n\n\nAssessment of the SEC Information Technology Investment Process   March 26, 2010\nReport No. 466\n                                        Page 35\n\x0c                                                                    Appendix IV\n\n                     List of Recommendations\n\nRecommendation 1:\nThe Office of Information Technology should improve its oversight of information\ntechnology investments to ensure that projects are in compliance with the\nrequirements in its Capital Planning and Investment Control policies and\nprocedures specifically dealing with the implementation of the control and\nevaluate phases of the Capital Planning and Investment Control process.\n\nRecommendation 2:\nThe Office of Information Technology should require status updates be provided\nfor all ongoing projects every six months to manage resources (staff, cost and\ntime) for information technology investments over $200,000 and above.\n\nRecommendation 3:\nThe Office of Information Technology should immediately fill the position of\nAssistant Director for the Project Management Office with an experienced and\nqualified candidate.\n\nRecommendation 4:\nThe Office of Information Technology should perform an assessment of the\nproject management function to compare the current ratio of projects per project\nmanager to the industry\xe2\x80\x99s acceptable ratio of projects per project manager.\n\nRecommendation 5:\nThe Chairman should formally delegate authority to the Chief Information Officer\nnecessary for the management and oversight of the Capital Planning and\nInvestment Control process, to include the full authority to develop and execute\nall information technology policy, as approved by the Chairman.\n\nRecommendation 6:\nThe Chairman should revise 17 CFR \xc2\xa7 200.13 to provide the Chief Information\nOfficer (CIO) with full authority to develop and issue Information Technology\npolicies and carryout the prescribed substantive responsibilities under 44 U.S.C.\n\xc2\xa7 3506 and OMB Guidance M-09-02 and remove the CIO/Director of the Office of\nInformation Technology from under the supervision of the Executive Director or\nany position other than the Chairman for those substantive responsibilities.\n\n\nAssessment of the SEC Information Technology Investment Process     March 26, 2010\nReport No. 466\n                                        Page 36\n\x0cRecommendation 7:\nThe Office of Information Technology should revise the SECR 24-02 to:\n\n   \xe2\x80\xa2   Add a responsibility that the Division Directors, Office Heads, and\n       Regional Directors ensure that all information technology investments\n       within their responsibility adhere to the Capital Planning and Investment\n       Control policies and procedures.\n\n   \xe2\x80\xa2   Create an enforcement mechanism for the Chief Information Officer and\n       Information Officers Council to utilize when they discover investments that\n       have been funded outside of the Capital Planning and Investment Control\n       process.\n\nRecommendation 8:\nThe Office of Information Technology should conduct periodic internal reviews to\nensure that the requirements in Operating Directive 24-02.01, Information\nTechnology Investment Management, are enforced, (e.g., the requirement that\ntwo representatives from the program area be identified for all ongoing projects).\n\nRecommendation 9:\nThe Office of Information Technology should require that all divisions and offices\nuse OIT\xe2\x80\x99s project management system and that they update and maintain the\ndata in the system for the investments within their program areas.\n\n\n\n\nAssessment of the SEC Information Technology Investment Process      March 26, 2010\nReport No. 466\n                                        Page 37\n\x0c                                                                                                     Appendix V\n\n                                   Management Comments\n\n                                                     UNITED STATES\n                                SECURITIES AND EXCHANGE COMMISSION\n                                              VVASHINGTON,       D.C.20S49\n\n\n\nTHE CHAIRMAN\n\n\n                                                     I\\IJemor\'andum\n\n Date:               March 12.2010\n\nTo:                  David Kotz, In~pector .Jenera I, OIG\n                     Jacqueline Wil:;on, Assistant Inspector Get:lcral, OIG\n\nFrom:                Mary L. Schapiro,   Chairma~ct-~\nSubject.:            Response to OIG Report 466, Assessment (if\'the SEC          ll~"\'(.,.mafjon\n                     Technology investment Process\n\n\n          I appreciat.e the opportunity to comment on certain aspects of your recent rt:vic\\.\' of the SE s\ninrom1ation technology (IT) investment process (Draft Report No. 466, Assessment (,j\'the SE .\n1\'1(CJrmatiol1 TechnoloK)/ Investment Process, Feb. 23,2010), My COlnments here focus on\n,\'L\xc2\xb7C",II1Olcn.:i<ltions 5 and G and related findings, which are addressed to me. I underslund the Din\'clor of\nth,~ Office or i;ltormation Teclmology will be commenting on other aspects of the draft report.\n\n\n          The size and comp"=xicy of the U.S. capital Inarkets the ~E :is responsible for monitol\'ing I,llake\n;! :~.\\pe(alive that the SI~C make the best possible use of technology to leverage its stafPs ~xpe1\'lisc. A\nsound IT investment pl\'(\'Ce\'i:" musl lead to strategically !c)cllsed acquisitions that are both prudent and\n(,rcativc. I am, theref()I\xc2\xb7e. pleased to note the significant. improvement yow\' draft report fo md since the\ni"!.st such assessment ip. 2004 (Repol1. No. 365. IT Capilal lnvestmen \'Decision-Making Fo!L()\'w-up, Mar.\n29.2004).\n\n         That progress continues. In January \')fthis yea.r, <lfter an intel"nal review of roles and\nTc~\'pollsibiJities relating to th\' SEC\' n i\'1vestments. [ approved revised charters for the thrce distim\':l\nbodic.": ttml I\'evie"v and appr vc proposed IT investments, I am cOlltident that these revised processes\naddress a !lumber of the <:011l.:.:n15 rai.sed in this reporl, which was. of n cessity, based largely on\nObS":I-,utiol1s of practice un IeI\' tb~ now superseded IT investment\' proce "scs.\n\n           1 am ,\xc2\xb7\'.HI1:nitted to having a      \'hicf\'lntormalion Officer (CIO) who is fully empo",\xc2\xb7\xc2\xb7cp.\xc2\xb7d to meet\nlhL\'   !,,~portHnr re ponsibilirj ..~~ envisioned hy the Clinge"-Coh n Act t,CC ) ~md othel\' appli\';nblt: i:lv\'s al1d\nirnplclTJen~ing. glii~.b!1c\\;\' A:; a result and .~ubject to the comments that follow. I concll!\' in,\nn, :,)lrmlC;;\'lldat;oil:; 5 and b inasl11u<"\'h ::IS ttl..", point out that 1.h", SEC~\'; CIO\'lnust have ali authority\nrequir",J by Ia"\'" and necessary 1< dischdr:;e his n:"pon:;ibilities.\n\n            Rl:C";\xc2\xb7jllnendiUi(ln~:\' and 6 aiso a;.:sen that, ,- <\'.\'1 after the ddegalions 01" auth rity my predeces:,oT\n\'1lade \\.0 tilt:; C!O in 2Q07, the CIO does not havt:: th", full aut!\\Ot\'ity mandated hy the "Iinger- ~oh<.:,r. ,\'\\C\xc2\xb7;\nnnd, related OHicc ofM<.tnagement and Bl\'dg-et (OMB) implt.:menting guidance. While 1 am inform<.,~\nthat Ihe intcl1lion of the 2007 delegations \\~as to fuJI) implement all applicable legal re tuircments. I al1l\n,<~kil1g OUI\' General Counsel \'to ;,dvisc me a..: 10 w!1cther the Cllnen( delegations do. in fact. give the C\\O\n\',.11 ~mth()ril. the iii""\xc2\xb7 and :-e\'ated in1pklnenting m.li\'l\';\':<ll\xc2\xb7\';~: r"~llin:,. Should th Geil\'~I\'al Counsel cOllcJud",\n\n\n\n\n       Assessment of the SEC Information Technology Investment Process                              March 26, 2010\n       Report No. 466\n                                                       Page 38\n\x0cAssessment of the SEC Information Technology Investment Process   March 26, 2010\nReport No. 466\n                                        Page 39\n\x0c                                        Memorandum\n\nDate:        March 11,2010\n\nTo:          David Katz, Inspector General, OIG\n             Jacqueline Wilson, Assistant Inspector General, OIG\n\nFrom:        Charles Boucher. Chief Information Officer, OIT ~ C IS...-...t\'"~\ncc:          Kayla Gillan, Deputy Chief of Staff, Office of the Chairman\n             Diego Ruiz, Executive Director, OED\n\nSUbject:     Management Response to OIG Report 466, Assessment of the SEC Information\n             Technology Process\n\n\n      The Office of Information Technology appreciates the opportunity to comment on the\nsubject report. This memo responds to the seven recommendations directed to OIT only; as I\nunderstand, the Office of the Chairman will respond to the other two (#5 and #6).\n\n         We are pleased with the Office of Inspector General\'s acknowledgement of the\nsignificant progress that the SEC has made since the OIG previously examined the issue of\ninformation technology investment six years ago (Report No. 365, March 29. 2004). At that\ntime, the OIG identified major deficiencies in the agency\'s IT capital investment decision-\nmaking process, including that a majority of spending on IT investments did not go through the\nestablished IT Capital Planning and Investment Control process (CPIC). The 2004 report\ncontained 25 recommendations for agency action to address a broad range of deficiencies. To\naddress these recommendations, the agency has since undertaken significant efforts, involving\nthe commitment of substantial resources, to improve oversight and controls over IT decision-\nmaking. And as you know, the agency has in fact successfully completed corrective action on\nall of the recommendations from this previous report.\n\n       In contrast to 2004, the current OIG report concludes that the SEC has a documented\nstructure, approval process. and adequate procedures for the approval and oversight of IT\ninvestments that adhere to governing Commission policy and applicable federal law and\nregulations. The OIG\'s report also acknowledges that the SEC ~has gone to great lengths, and\nexpended significant resources" to implement this improved IT Capital Planning and\nInvestment Control process.\n\n       While these achievements demonstrate the real improvements that have been made in\nthe past several years, we are committed to continue to work for further improvement in\ncontrols and oversight over IT capital decision-making. For this reason, we welcome the\nfindings and recommendations of the Office of Inspector General, and are pleased to respond\nand provide comments on your final report.\n\n\n\n\nAssessment of the SEC Information Technology Investment Process            March 26, 2010\nReport No. 466\n                                        Page 40\n\x0c        We concur, with comment, on the seven recommendations directed to OIT. We agree\nwith the intent of these recommendations: to strengthen compliance with capital investment\npolicies and procedures; provide improved reporting on project status; further enhance OIT\'s\nproject management capabilities; and ensure the active involvement of program offices in\nsystem design and implementation. These goals are consistent with our goals for OIT. I\nwould like to share with you my comments on three issues in the report where I believe that\nclarifications or additional information are needed.\n\n        First, with respect to the discussion on pages 10-14 regarding the agency\'s 2008\ndecision to cancel the Strategic Acquisition Manager (SAM) IT project, I was not at the SEC at\nthat time. However, I\'ve been informed that the OIG report accurately notes that the SAM\nproject, whose initiation had been approved by the Information Officers Council (IOC) in April\n2005, was cancelled in the spring of 2008 as a result of poor performance.               These\nperformance problems included major unresolved system defects, little or\' no quality control\nover bug fixes, significant turnover of vendor personnel and lack of qualified customer service\nsupport. In accordance with the Federal Acquisition Regulation, a Cure Notice was issued to\nthe vendor in March 2008. The decision to cancel the contract was made after the vendor\nindicated that an attempt to correct the problems could result in the expenditure of substantial\ntaxpayer dollars and there was no guarantee that such problems could be fixed. As I also\nunderstand, throughout this process, the Office of Administrative Services (OAS), which is\nresponsible for overseeing agency contracts, worked in close collaboration with OIT and the\nthen-CIO, and relied extensively on OIT\'s technical expertise. After the decision to cancel the\ncontract, OAS made a two hour presentation to the Project Review Board (PRB) and IOC on\nlessons learned and on its plans to re-compete the contract. Although the report is correct that\nthe IOC never formally approved the replacement contract, I understand that the IOC was\nperiodically apprised of further progress.\n\n         I also want to mention that both situations identified in your report as deviating from\npolicy were projects that terminated either the contract or the entire project. It is important to\nnote that, in the past, the agency\'s CPIC project approval activities overlapped with budget\nactivities, and the roles and responsibilities of the SEC\'s Senior Procurement Executive were\nnot integrated fully within the CPIC process. In January 2010, however, the SEC approved\nnew charters for the PRB and IOC that. among other things, assign the panels new\nresponsibilities to provide oversight and project management assistance to IT projects after\nthey are selected. The new PRB charter. for instance, specifically requires reports to be\nprovided if a project is not expected to meet cost. schedule or performance levels established\nin its baseline. With the new charters in place. the agency now has a suitable framework in\nplace to review instances, such as was identified with SAM several years ago, of poor IT\ncontractor performance. The new charter, for the first time, lists the Head of the Contracting\nAgency as a voting member of the Board.\n\n       Second, with respect to the report\'s findings on pages 15-18 regarding project\nmanagement. over the past few years OIT has maintained a centralized project tracking\nsystem to help manage the delivery of technology projects, with a clear overall record of on\ntime, under budget, and within scope results. While I agree with the two recommendations\nsuggested by OIG, I do not believe that an accurate indication of OIT\'s project management\ncapabilities can be measured merely by counting the number of OIT staff who have obtained\nnon-required project management certificates. In addition, given the significant number of IT\nprojects underway at any given time, as a general matter OIT has found it more effective to\n\n                                                2\n\n\n\n\n  Assessment of the SEC Information Technology Investment Process                March 26, 2010\n  Report No. 466\n                                            Page 41\n\x0cassign project management responsibilities broadly throughout the office, rather than rely on a\nlimited number of project management specialists to oversee IT projects. Finally, we would\nnote that many OIT staff who perform core project management oversight also receive\nsupplemental project management assistance from the contractors.\n\n         Finally, with respect to the results of OIG\'s survey reported on pages 23-28, while we\nagree with OIG on the vital importance of ensuring that program offices are fully involved with\ncritical decisions, such as defining an IT project\'s requirements or its implementation, we do\nnot agree with your conclusion that, because divisions and offices do not independently\nmaintain information about IT projects and instead refer to the OtT project tracking system, this\nmeans that businesses "were not sufficiently involved in their IT projects." To the contrary, we\nstrongly believe that keeping track of the status of IT projects in a single centralized system is\na more efficient way to track progress, and we also have specialized staff to ensure\nconsistency and perform management reporting. Further, while the report notes that "business\nsponsors are often at the Associate or Assistant Director level and do not have sufficient time\nto devote to day-te-day management of an IT project" in fact, day-to-day oversight of a project\nis properly the responsibility of the Project Manager, not the Business Sponsor, who is not\nexpected to be involved with day-to-day management but instead to provide the business\nauthority and overall support to implement the project. This being said, I also agree that the\npartnership between OIT and the SEC\'s businesses on technology projects can and should be\nstrengthened, and made more consistent throughout the organization.\n\n        In closing, thank you for your work on this audit, and for the opportunity to provide\ncomments on your review of the SEC\'s IT investment process. Because of the important role\nthat information technology plays in enabling the SEC to successfully carry out its mission, I\nwelcome the results of your review, and am committed to continuing to build on the significant\nprogress that has been made to date.\n\n\n\n\n                                                3\n\n\n\n\n Assessment of the SEC Information Technology Investment Process             March 26, 2010\n Report No. 466\n                                         Page 42\n\x0c                                                                    Appendix VI\n\n              Office of Inspector General\n         Response to Management\xe2\x80\x99s Comments\n\nWe are pleased that the Office of the Chairman and OIT have concurred with all\nof the report\xe2\x80\x99s 9 recommendations. We feel these recommendations when\nimplemented will strengthen the CIO\xe2\x80\x99s authority as required by law and will\nimprove the Commission\xe2\x80\x99s ability to comply with mandated statutes, regulations\nand guidance as they pertain to the management and oversight of capital\ninvestments. Below is OIG\xe2\x80\x99s response to OIT\xe2\x80\x99s management comments on\nFindings 1, 2, and 5.\n\nIn OIT\xe2\x80\x99s management comments to Finding 1, the CIO acknowledged that \xe2\x80\x9cthe\n[OIG] report is correct that the IOC never formally approved the replacement\ncontract,\xe2\x80\x9d although the CIO stated that he understood that the IOC was\nperiodically apprised of progress. However, as we found in our audit, and is not\ndisputed by OIT, OAS was allowed to commence the APS project without formal\napproval from the CPIC boards. Providing the CPIC board members with a\n\xe2\x80\x9clessons learned\xe2\x80\x9d presentation regarding cancelling the SAM IT project after the\nfact does not constitute compliance with the established IOC process and\nprocedures. Moreover, these procedures clearly require formal approval, not\nsimply being periodically apprised of the progress of a project. We would also\nnote that OIT did not dispute in its management comments our concern that OIT\nhad already received approved funding from the SEC Executive Director for the\nAPS project before and without going through the Commission\xe2\x80\x99s established\nboards.\n\nSecondly, in OIT management comments to Finding 2, the CIO stated \xe2\x80\x9dI agree\nwith the two recommendations suggested by the OIG,\xe2\x80\x9d although he noted he did\nnot believe that an accurate indication of OIT\xe2\x80\x99s project management capabilities\ncan be measured by counting the number of OIT staff who have obtained project\nmanagement certificates. We would point out that the finding in our report that\nproject managers were unable to dedicate the necessary time to manage\nprojects properly was based not only on the fact that there were 220 projects\nassigned to only 12 certificated project managers, but also on direct feedback\nfrom project managers and specific and concrete examples where problems with\nprojects were directly attributed to inadequate project management. Further,\nwhile we take no position on management\xe2\x80\x99s decision to assign PM\nresponsibilities broadly throughout the office rather than relying upon a limited\nnumber of PM specialists, we must however highlight that the roles and\nresponsibilities in CPIC policy requires a PM for IT investments, to meet PM\n\n\nAssessment of SEC Information Technology Investment Process         March 26, 2010\nReport No. 466\n                                       Page 43\n\x0cqualifications as described in OD 24-02.04, IT Project Management Qualification\nStandards.\n\nFinally, with respect to the OIG survey issued and its results in Finding 5, we\nnote that OIT misinterpreted this finding in its management comments. The CIO\nstated in the OIT comments that he does \xe2\x80\x9cnot agree with [the OIG\xe2\x80\x99s] conclusion\nthat, because divisions/offices do not independently maintain information about\nIT projects and instead refer to the OIT project tracking system, this means that\nbusinesses \xe2\x80\x98were not sufficiently involved in their IT projects.\xe2\x80\x99\xe2\x80\x9d We must point out\nthat our audit did not raise an issue with the program offices utilizing the project\ntracking system. We agree that keeping track of IT projects in a single\ncentralized system is efficient and in fact, encourage use of the project tracking\nsystem as recommendation 9, states that \xe2\x80\x9cOIT should require all divisions and\noffices use the project management system . . . .\xe2\x80\x9d However, our audit found that\nthe fact that a significant percentage (57%) of offices/divisions were unable to\nprovide basic data about their projects without having to request the information\nfrom OIT was a strong indication that these divisions/offices were not sufficiently\ninvolved in their IT projects. In addition, with respect to the CIO\xe2\x80\x99s comment about\nthe day-to-day oversight of a project being the responsibility of the project\nmanager, not the business sponsor, we would note that in our view, and as\ndiscussed in the Project Management Book of Knowledge, the business lead\nshould also play a significant day-to-day role in ensuring that the business needs\nof the project are addressed and in interacting on a constant basis with the\ntechnical IT project manager. Thus, our concern that these business sponsors\nare at the Associate or Assistant Director level remains.\n\n\n\n\nAssessment of the SEC Information Technology Investment Process       March 26, 2010\nReport No. 466\n                                        Page 44\n\x0c                      Audit Requests and Ideas\n\nThe Office of Inspector General welcomes your input. If you would like to\nrequest an audit in the future or have an audit idea, please contact us at:\n\nU.S. Securities and Exchange Commission\nOffice of Inspector General\nAttn: Assistant Inspector General, Audits (Audit Requests/Ideas)\n100 F Street, N.E.\nWashington D.C. 20549-2736\n\nTel. # 202-551-6061 Freedom of Information Act (FOIA)\nFax # 202-772-9265\nEmail: oig@sec.gov\n\n\n\n\n      Hotline\n      To report fraud, waste, abuse, and mismanagement at\n      Commission, contact the Office of Inspector General at:\n\n              Phone: 877.442.0854\n\n              Web-Based Hotline Complaint Form:\n              www.reportlineweb.com/sec_oig\n\x0c'